HeartBleed Bug Explained

xkcd: heartbleed explanation

Have to admit, I didn’t fully understand exactly how Heartbleed was affecting OpenSSL until xkcd explained it.

xkcd: heartbleed bug explained

Nailed it.

Key takeaways

  1. You need to update your passwords
    Some very high-profile sites were compromised, like Yahoo! and Tumblr, Dropbox, and several others. Some accounts are higher risk than others, but if your Yahoo email unlocks your bank account update it today. Your email can unlock all of your passwords, don’t ever forget that. Two-factor authentication is available, and it wouldn’t hurt to use it as an additional layer of security.
  2. Get a secure password generator
    Since you are in password hell already, get LastPass, OnePassword, or KeePass to create secure passwords for you. I can hear you already, “doesn’t this make my password less secure?” Please don’t be daft. I don’t even want to take the time to explain it to you, it’s going to confuse you anyways if you are asking questions like that. There are different levels and layers of security and multiple layers of encryption, including local encryption. I’ve been using LastPass for years without incident and they maintained some semblance of security in this mini-crisis. I have not tested the other two products, that’s why they aren’t linked.
  3. Update all the things!
    This is primarily for webmasters, but it wouldn’t hurt to update your computer software either. If anything it shows the strength and weakness of open-source software. Vulnerabilities are open, to fixers and hackers. The way the tech community responded was both impressive for its expedience and altruism. Bad news doesn’t get better with age. No one got paid for being the bearer of bad news of everyone’s compromised security, and we all ran the risk of having egg on our face. 


Security needs to appropriate for the value of what is being kept safe. Accessibility is usability and increasing security decreases accessibility by definition. That is the security balancing act, I’m spending more time with two-factor authentication logging, but it is worth it for the piece of mind it affords me.