I have received a lot of requests from people outside of the IT field to explain the Heartbleed bug in easy-to-understand terms. Rather than attempt to reinvent the wheel, I have published below (with some editing for clarity) what is probably the best attempt at this that I have read so far. It was written by Stack Exchange user SPRBRN.
The Bank Employee and the Customer
The main characters in this story
- The bank: A Web server
- The bank employee: The OpenSSL service for the Web server
- The bank customer: A bot fetching all information it can get from that server
You, the bank customer, call the bank to request a new bank account. Somehow you and the bank make sure that you are who you say you are, and that the bank is actually the bank. This is the TLS process that secures the connection between you and the bank.