1354: Heartbleed Explanation
Title text: Are you still there, server? It's me, Margaret.
The Heartbleed bug has received a lot of news coverage recently and was also the topic of the previous comic 1353: Heartbleed. This comic explains how the bug may have been discovered and can be exploited to reveal a server's memory contents. A hypothetical cracker Meg sends heartbeat requests to the server, the server responds to the heartbeat request by returning the contents of the body of the request up to the number of letters requested. The first two requests are well formed, requesting exactly the number of characters in the request body. The server's memory is showing Meg's request with many other requests going on at the same time.
The last request asks for "HAT" but requests that it be 500 letters long; the server — not checking if or simply unaware that 500 letters is larger than the request body — returns "HAT" plus 497 letters that happened to be next to the word "HAT" in its memory. Included are many sensitive bits of information, including a master key and user passwords. One of the passwords shown is "CoHoBaSt", a reference to 936: Password Strength, which suggests using "correct horse battery staple" as a password.
Often popular explanations of security bugs require the issue to be simplified a lot and to leave out a lot of details. In this case Randall didn't have to do much simplifying; the bug is actually that simple. Also, it should be noted that any client which can connect to the server typically can exploit this bug in the underlying OpenSSL software — the use of the term "User Meg" does not imply that Meg had to authenticate first.
The title text is a reference to Are you there God? It's me, Margaret. a novel by Judy Blume, and plays off of the "server, are you still there?" line in every panel where she did start a request. Meg can be a nickname for Margaret as well as Megan, which perhaps explains why the character's usual name, Megan, is abbreviated here.
- How the Heartbleed bug works:
- Megan: Server, are you still there? If so, reply "POTATO" (6 letters).
- The server's memory is shown: ...wants pages about boats. User Erica requests secure connection using key "4538538374224". User Meg wants these 6 letters: POTATO. User Ada wants pages about "irl games". Unlocking secure records with key 5130985733435. Maggie (chrome user) sends this message: "Hi...
- Server shows the same memory content but POTATO is highlighted.
- Server: POTATO
- Megan: Server, are you still there? If so, reply "BIRD" (4 letters).
- The server's memory is shown: ...User Olivia from London wants pages about "mad bees in car why". Note: Files for IP 375.381.283.17 are in /tmp/files-3843. User Meg wants these 4 letters: BIRD. There are currently 346 connections open. User Brendan uploaded the file selfie.jpg (contents: 834ba962e2ceb9ff89bd3bff8c...
- Server shows the same memory content but now with BIRD highlighted.
- Server: BIRD
- Megan: Hmm...
- Megan: Server, are you still there? If so, reply "HAT" (500 letters).
- Server memory: ...a connection. Jake requested pictures of deer. User Meg wants these 500 letters: HAT. Lucas requests the "missed connections" page. Eve (administrator) wants to set server's key to "14835038534". Isabel wants pages about "snakes but not too long". User Karen wants to change account password to "CoHoBaSt". User...
- Server shows the same memory content, highlighting the first 500 letters of the memory beginning at HAT.
- Server: HAT. Lucas requests the "missed connections" page. Eve (administrator) wants to set server's key to "14835038534". Isabel wants pages about "snakes but not too long". User Karen wants to change account password to "CoHoBaSt". User Amber requests pages...
- Megan writes this all down.
add a comment! ⋅ add a topic (use sparingly)! ⋅ refresh comments!