Heartbleed bug has been a nightmare for all major public websites this week which are using OpenSSL version 1.0.1 to 1.0.1f (inclusive). Here is a brief explanation about this bug :
1. OpenSSL is a cryptographic library which is used to encrypt communication over internet. The lock sign that you in your browser when you access any https based website uses OpenSSL
2. Heartbeat is the module of OpenSSL which basically sends a request to peer to keep the TLS session alive. The buggy code is written in this module.
3. In order to keep the session alive the heartbeat module sends a request with a payload and size of payload. e.g. : payload is 1 byte and size of payload should be 1 byte but attacker can modify it to 65000 bytes.
4. According to above example you will notice that actual payload sent was 1 byte but the attacker used a fake value of 65000 bytes for size. The code doesn’t matches the payload size with actual size sent in request and this creates the problem.
5. Now this payload is copied in memory of https server. The payload size is 1 byte but the attacker used a fake size of 65000 bytes so the next 65000 bytes are also occupied in the server memory.
6. The server responds back with the actual payload (1 byte) and also sends back the 65000 bytes content copied from memory. This is the actual bug. Remember all of this is happening just to keep the session alive.
7. Now the attacker has access to additional 65000 bytes of data from server’s memory which he was not supposed to see and it may contain confidential data like passwords, decryption keys etc.
8. In case some one has been recording all the traffic to a website from last one year and he has access to the keys (got from server memory) now then he can decode all data and create mayhem.
9. There is no guarantee that your data is secure or not. Make sure you change user passwords on all major websites you are using