The heartbleed bug is a “buffer over read” in the OpenSSL’s encryption library. OpenSSL is a commonly used library written in C that implements common encryption protocols such as SSL and TLS. It can be used in some other programming languages other than C using “Wrapper”s. It is commonly used for implementing layer 4 in the OSI model: transport layer.
The heartbeat extension for OpenSSL used to keep connections open by periodically sending information to the computer it’s connected to, like every couple of seconds for example. A heartbeat in computing in general refers to this periodic sending of information.
The amount of information sent in each heart beat can be determined by the user. OpenSSL heartbeats are supposed to be no more than 16 kilobytes, and are usually much less. When the user requests a heartbeat they give the server a string and an integer representing the size of the string. The server then must send that string with that size, but the size isn’t checked to make sure that it isn’t more than the size of the string. So when the server is asked to send 64 kilobytes of information for a 1 kilobyte string for example, it reads the 1 kilobytes, or however much it is of memory, and then reads the following 63 kilobytes of information past the buffer that the program is using to store variables. A hacker exploiting this bug could read memory that the program is using and that could include the private master encryption key, or sensitive user information like passwords. When they know that encryption key they can decrypt the information being sent from the server and can find out things like passwords.
The heartbleed bug was put into the OpenSSL source code on 12/31/2011, and was introduced in the release on 3/21/12, It was reported on 4/1/14 by google’s security team, and a patched version of SSL without the bug was released on 4/7/14. The OpenSSL versions affected are 1.0.1 up to and including 1.0.1f. The patch to this is a simple conditional statement that the size parameter isn’t more than the strings actual size. Around 500,000 servers, which make up about 17% of SSL web servers.
According To Bloomberg news, the NSA has known about this bug for a while and chose not to make it public in order for them to use it. The NSA has denied these allegations.
a usefull picture: http://en.wikipedia.org/wiki/File:Heartbleed_bug_explained.svg