https://www.explainxkcd.com/wiki/api.php?action=feedcontributions&feedformat=atom&user=Deanstylesexplain xkcd - User contributions [en]2026-04-17T17:35:25ZUser contributionsMediaWiki 1.30.0https://www.explainxkcd.com/wiki/index.php?title=1353:_Heartbleed&diff=649801353: Heartbleed2014-04-09T19:42:03Z<p>Deanstyles: The mouseover shows a list of could be in 64Kb...then adds that even replicant memory could be found in it</p>
<hr />
<div>{{comic<br />
| number = 1353<br />
| date = April 9, 2014<br />
| title = Heartbleed<br />
| image = heartbleed.png<br />
| titletext = I looked at some of the data dumps from vulnerable sites, and it was ... bad. I saw emails, passwords, password hints. SSL keys and session cookies. Important servers brimming with visitor IPs. Attack ships on fire off the shoulder of Orion, c-beams glittering in the dark near the Tannhäuser Gate. I should probably patch OpenSSL.<br />
}}<br />
<br />
==Explanation==<br />
"Heartbleed" refers to a critical bug in the OpenSSL security library. This bug was publicly revealed on Monday, April 7th, 2014.<br />
Due to a programming error in OpenSSL versions 1.0.1 through 1.0.1f (inclusive, i.e., the bug has existed for two years), attackers could read random server memory by sending specially prepared HeartbeatRequest messages to an affected server.<br />
<br />
OpenSSL is a very commonly used library to implement {{w|SSL/TLS}}, a web protocol that encrypts web traffic such that only the user and the server can read the communication. This is the protocol behind http'''s''':// (HTTP Secure) connections. SSL is often used to protect sensitive web traffic, such as login requests, which contains the usernames and passwords in the requests.<br />
<br />
A vulnerability that lets an attacker read random clumps of memory on the server would possibly let an attacker find recent username/password requests, allowing them to gain unauthorized access to user accounts. Even worse, this vulnerability could read the server's private key, enabling anyone to impersonate the server and/or decrypt any future traffic that relies on that key, and any previously-obtained prior traffic also, unless a "perfect forward secrecy" ciphers is used, which is currently rare. Furthermore, the hearbleed exploit occurs during the handshake phase of setting up a connection, so no traces of it are logged, i.e. you can be attacked and never be the wiser.<br />
<br />
More information is available at [http://heartbleed.com heartbleed.com] or under CVE-2014-0160, [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160 at nvd.nist.gov]<br />
<br />
The mouseover text cites the {{w|Tears in rain soliloquy}}, the dying words of the replicant and main antagonist Roy Batty (played by {{w|Rutger Hauer}}) in the 1982 film ''{{w|Blade Runner}}'', implying that the 64Kb HeartBleed buffer is so complete it includes memories from replicant brains.<br />
<br />
==Transcript==<br />
:Megan: Heartbleed must be the worst web security lapse ever.<br />
:Cueball: Worst so far. Give us time.<br />
:Megan: I mean, this bug isn't just broken encryption.<br />
:Megan: It lets website visitors make a server dispense random memory contents.<br />
:Megan: It's not just keys. It's traffic data. Emails. Passwords. Erotic fanfiction.<br />
:Cueball: Is '''everything''' compromised?<br />
:Megan: Well, the attack is limited to data stored in computer memory.<br />
:Cueball: So paper is safe. And clay tablets.<br />
:Megan: Our imaginations, too.<br />
:Cueball: See, we'll be fine.<br />
<br />
{{comic discussion}}</div>Deanstyles