I like xkcd, but this explanations does not make sense.
I am not an expert programmer, nor much of a programmer at all, so anyone that knows a better explanation should help me here.
On "secure socket" protocol ,which is used by a lot of banks and other secured internet connections, there is a periodic "handshake " which is called "heart beat".
While the connection is open each machine will ask the other to repeat a short word or phrase and specifies the length of the word or phrase. When the heartbeat does not get a reply the connection is over.
The hack was to connect and start the heartbeat as normal , but to ask for a greater length of reply than the heartbeat word.
When the heartbleed hack worked, the server would reply with the requested word and the additional length of the request was filled with whatever the server had in its buffers , whatever random things it had just recently done. So if it had just recorded a password change this would be captured by the hacker.
This technique is not going to work anymore , all of the responsible banks and credit cards that use the secure socket know now to plug this leak.
What we do not really know is when this vulnerability was first discovered ,nor do we know who might have found how much for how long , very quietly bleeding passwords since when?
