The SSL Heartbleed bug explained in 30 seconds

Another excellent comic by xkcd (a site that publishes dev/op/web-related comics, usually nailing things right to the head): This time explaining one of the worst bugs in IT history, the OpenSSL “Heartbleed Bug” (links to official bug page). For everybody who lived under a rock in the last days: Several weeks ago a bug in the open source OpenSSL library (that is used in, well, nearly everything that uses SSL, from major websites to NAS systems, from Android to routers) was discovered and major websites were informed secretly (to prevent criminals getting notice on that). The bug is basically a broken parameter check that allows the user/attacker to request a “full” memory dump. A full memory dump. With passwords, SSH keys, etc. in it.

A few days ago, TheVerge wrote an article about the bug, reaching mass attention, opening heaven for cyber-criminals. Side-fact: It’s interesting to see the extreme mass of news coverage created by bugs in (open source) software these days: Heartbleed and Apple’s OpenSSL bug (test site) have made it to the #1 article in quality newspapers, tv news and for sure online newspapers all over Europe. Somebody ran a mass test against the top1000/top10.000 pages in the world, checking major websites for vulnerability – and listed the results here on GitHub. This list is unproven, but the names are awesome. Note that this list has been created after the bug went viral, so we don’t talk about a theoretical bug here.

You can make a basic check for the bug on this Heartbleed test site.