Question: How does Heartbleed work?Heartbleed affects a kind of software called OpenSSL, which is used to beef up security of some of the world's most popular and used web servers. Through OpenSSL, websites can present encrypted information to their visitors, which in turn allows visitors to give very sensitive data to the websites (such as passwords, cookies, and usernames) without them being seen by others while going from the computer to the website.
OpenSSL has a built-in feature called heartbeat, a response of a website to let a computer know that it is active and has acknowledged whatever request a user has input into the computer. These requests and acknowledgements are done through data exchange. In normal cases, when a computer makes a request, the heartbeat only returns the same amount of data as what the request sent. But for servers that are affected by the bug, this is not the case. The hacker may send a request to the server and request data over the total amount of data in the initial request.
The data that is over the first request may contain things left behind from the program's other parts. When more computers access the server, recycling of memory at the top happens. This means that requests done before may still be in the memory block the hacker requests back from the server. In those bits of data sent back to the hacker, things like cookies and log-in credentials may be included, which hackers would, of course, exploit.
station to transfer files or disable all your email accounts. It has been found that the number of servers that have been actually affected is fewer than what was originally thought. Original estimates reveal that 60% of all servers had the bug, but newer studies claim that only close to 18% have it. That's still a lot, but significantly lower than the first estimate. Besides, once the bug was discovered, a patch was released, which assures all servers who have used the patch that it would not be a problem anymore.
While the threat of Heartbleed has diminished, it has still left a bitter taste when it wrecked havoc. For us, common people, there is only one thing to do: change the passwords of the services that you deem to be most important. While you're at it, make sure your passwords are difficult to crack by missing uppercase and lowercase letters and including symbols and a number or two. It is also recommended that you vary your passwords and not use one password across accounts.