https://www.explainxkcd.com/wiki/api.php?action=feedcontributions&feedformat=atom&user=RatesAnalystexplain xkcd - User contributions [en]2026-05-23T18:39:52ZUser contributionsMediaWiki 1.30.0https://www.explainxkcd.com/wiki/index.php?title=1354:_Heartbleed_Explanation&diff=651681354: Heartbleed Explanation2014-04-11T07:09:12Z<p>RatesAnalyst: /* Explanation */</p>
<hr />
<div>{{comic<br />
| number = 1354<br />
| date = April 11, 2014<br />
| title = Heartbleed Explanation<br />
| image = heartbleed_explanation.png<br />
| titletext = Are you still there, server? It's me, Margaret.<br />
}}<br />
<br />
==Explanation==<br />
The {{w|Heartbleed bug}} has received a lot of news coverage recently and was also the topic of the previous comic ([[1353]]). This comic explains how the bug may have been discovered and can be exploited to reveal a server's memory contents. A hypothetical hacker (Meg) sends heartbeat requests to the server, the server responds to the heartbeat request by returning the contents of the body of the request up to the number of letters requested. The first two requests are well formed, requesting exactly the number of characters in the request body. The server is shown "thinking" about Meg's request with many other thoughts going on at the same time, analogous to the internal memory contents of a real web server.<br />
The last request sends "HAT" but requests 500 letters, the server - unaware that 500 letters is larger than the request body - returns "HAT" plus 497 letters that happened to be next to the word "HAT" in its memory. Included are many sensitive bits of information, including a master key and user passwords.<br />
<br />
The hover text is a reference to ''Are you there God? It's me, Margaret.'' a novel by Judy Bloome.<br />
<br />
==Transcript==<br />
:Title: How the heartbleed bug works:<br />
:Meg: Server, are you still there? If so, reply "POTATO" (6 letters).<br />
:Server (amongst other thoughts): User Meg wants these 6 letters: POTATO.<br />
:Server: POTATO<br />
:Meg: Server, are you still there? If so, reply "BIRD" (4 letters).<br />
:Server (amongst other thoughts): User Meg wants these 4 letters: BIRD.<br />
:Meg: Hmm...<br />
:Server: BIRD<br />
:Meg: Server, are you still there? If so, reply "HAT" (500 letters).<br />
:Server (amongst other thoughts): User Meg wants these 500 letters: HAT.<br />
:Server: HAT. Lucas requests the "missed connections" page. Eve (administrator) wants to set server's key to "14835038534". Isabel wants pages about "snakese but not too long". User Karen wants to change account password to "CoHoBaSt". User Amber requests pass...<br />
<br />
<br />
{{comic discussion}}</div>RatesAnalysthttps://www.explainxkcd.com/wiki/index.php?title=1354:_Heartbleed_Explanation&diff=651671354: Heartbleed Explanation2014-04-11T07:07:56Z<p>RatesAnalyst: Hover text explanatino</p>
<hr />
<div>{{comic<br />
| number = 1354<br />
| date = April 11, 2014<br />
| title = Heartbleed Explanation<br />
| image = heartbleed_explanation.png<br />
| titletext = Are you still there, server? It's me, Margaret.<br />
}}<br />
<br />
==Explanation==<br />
The {{w|Heartbleed bug}} has received a lot of news coverage recently and was also the topic of the previous comic ([[1353]]). This comic explains how the bug may have been discovered and can be exploited to reveal a server's memory contents. A hypothetical hacker (Meg) sends heartbeat requests to the server, the server responds to the heartbeat request by returning the contents of the body of the request up to the number of letters requested. The first two requests are well formed, requesting exactly the number of characters in the request body. The server is shown "thinking" about Meg's request with many other thoughts going on at the same time, analogous to the internal memory contents of a real web server.<br />
The last request sends "HAT" but requests 500 letters, the server - unaware that 500 letters is larger than the request body - returns "HAT" plus 497 letters that happened to be next to the word "HAT" in its memory. Included are many sensitive bits of information, including a master key and user passwords.<br />
<br />
The hover text is a reference to ''Are you there God, it's me, Margaret'' a novel by Judy Bloome. <br />
<br />
==Transcript==<br />
:Title: How the heartbleed bug works:<br />
:Meg: Server, are you still there? If so, reply "POTATO" (6 letters).<br />
:Server (amongst other thoughts): User Meg wants these 6 letters: POTATO.<br />
:Server: POTATO<br />
:Meg: Server, are you still there? If so, reply "BIRD" (4 letters).<br />
:Server (amongst other thoughts): User Meg wants these 4 letters: BIRD.<br />
:Meg: Hmm...<br />
:Server: BIRD<br />
:Meg: Server, are you still there? If so, reply "HAT" (500 letters).<br />
:Server (amongst other thoughts): User Meg wants these 500 letters: HAT.<br />
:Server: HAT. Lucas requests the "missed connections" page. Eve (administrator) wants to set server's key to "14835038534". Isabel wants pages about "snakese but not too long". User Karen wants to change account password to "CoHoBaSt". User Amber requests pass...<br />
<br />
<br />
{{comic discussion}}</div>RatesAnalyst