Heartbleed explained (two takes)

I appreciated the following succinct description of the Heartbleed vulnerability (from The Internet’s Telltale Heart):

Heartbleed is a bug in OpenSSL’s implementation of a small part of the T.L.S. protocol, called the heartbeat extension. A “heartbeat,” in this context, is like the “beep… beep…” of a hospital heart monitor: a quick way to check that the other end of a secure connection is still there. One side sends the other side a small piece of data, up to sixty-five kilobytes long, along with a number indicating the size of the data that has been sent. The other side is supposed to send back the exact same piece of data to confirm that the connection is still active. Unfortunately, in OpenSSL the replying side looks at the stated size of the data rather than at the actual size, and it always sends back the amount of data that the request asked for, no matter how much was sent. This means that if the stated amount of data is less than the amount actually provided, the response contains the data that was sent plus however much additional data, drawn from the contents of the computer’s system memory, is required to match the amount requested.

Of course, XKCD nails it in a more visual/narrative fashion.

Leave a Reply