Why is it called Heartbleed?

Yesterday I posted about the Heartbleed bug, but didn’t address why it’s called “Heartbleed”. I err’d in the writing of that blog post on (at least one point):

It’s called “Heartbleed” because programmers love cute names. I haven’t actually found a credible source for its naming, so I default to the ‘cute’ reasoning. It’s accurate in general, if nothing else.

That was partially right. Programmers do love cute names. But that’s not the full story. After doing some more research, I found out why it’s called the Heartbleed bug, courtesy of this Security.SE answer:

In short, Heartbeat allows one endpoint to go “I’m sending you some data, echo it back to me”. You send both a length figure and the data itself. The length figure can be up to 64 KiB. Unfortunately, if you use the length figure to claim “I’m sending 64 KiB of data” (for example) and then only really send, say, one byte, OpenSSL would send you back your one byte — and 64 KiB (minus one) of other data from RAM.


So the function that has the bug is called “Heartbeat”, and the bug allows for the server to ‘bleed’ information it should otherwise not send back. HeartBeat + bleed = HeartBleed.


Authors [foot]note: A shorter form of this answer made it into my inaugural Higher Logic blog post, as well.

Leave a Reply