Heartbleed bug explained by xkcd in a way anyone can understand

It’s simply amazing how amazingly simple this xkcd cartoon is at explaining what the Heartbleed bug is all about.

Heartbleed explained

Source: xkcd, “How the Heartbleed bug works”

Further reading:

Sign up to our free newsletter.
Security news, advice, and tips.

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.


Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “Heartbleed bug explained by xkcd in a way anyone can understand”

  1. Clasic

    Hi Graham!
    Should we change all internet passwords?? :(

    1. Coyote · in reply to Clasic

      NO! That is inherently bad advice from misguided people/organisations. There's serious flaws in that suggestion. Instead, read the following:

      1. Is the server in question vulnerable (as in, was it vulnerable) ? If not, then likely no need to change. However, see below. Also note specifically that you might have to change here too if by chance you are affected by 4, below.
      2. Is it vulnerable still? If it is then not only will you risk your old password (when you log in to change it) you risk your new password being leaked (not to mention any other number of things). Note that if they have not generated a new security certificate then they may as well still be vulnerable!
      3. If however it is fixed then by all means change the password (would be unwise to not if the server was vulnerable). Also if you have the hardware (eg mobile phone with text) and the site offers two factor authentication, you might want to consider that too.
      4. Further, if by some chance (ahem) you used the same password then not only will you need to confirm that the sites you also used them on are not vulnerable, you will also have to change those too. And when you do that don't use the same password! This also means if you used a password on an unaffected site that is used on another site (affected or not) you should change it, because what if one is compromised by another flaw? In general: don’t use the same password twice.
      5. The media is very bad in general about security suggestions because they use sensationalism which adds to confusion, misleading the public and causing more problems. Even sites that were vulnerable were suggesting you change all passwords. Don't buy in to that! It is naive at best and beyond dangerous at worst!

  2. BitterReality

    SSL = Stupid Slovenly Losers….. Give a monkey a keyboard….. wait for it………. SSL

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.