Body： Lately we built a Chrome Extension called Ballloon, which enables people to save any files on webpages they need directly and quickly to Dropbox or Googledrive.To guarantee the users' account safety, we chose to go Https, while, what makes us uptight is that there's a huge and severe bug living with OpenSSL, Heartbleed. We are grateful to anyone answeres my questions below:
1. How does Heartbleed work?
2. What can we do to avoid Heartbleed bug?
3. Should extensions like http://www.Ballloon.com keep free from Heartbleed, if yes, how ?


https://chrome.google.com/webstore/detail/ballloon/kbmligehjhghebleanjcmenomghmcohn
Thanks

If I'm not mistaken, a patch for the heartbleed bug was released at the same time they announced the bug, so you should be ok with using the latest version.

As far as I know, heartbleed happened because of a missing length-check in some part of the code which used memcpy to copy data into some buffer. That meant that if the server received a request (not sure what type of request) which specified a message length that was longer than the actual message, then the server would send back the message plus whatever was next in memory, which if you were really unlucky could include passwords etc.

EDIT: Why was this reported?

Thank you very much, the file has been found. Do you think it's necessary to solve such problem happened to products like Ballloon? It still remains unsolved

Why was fafner's post reported?

Another heartbleed explanation:
http://xkcd.com/1354/


Your extension should be fine, assuming you aren't statically-linking to an old OpenSSL lib or shipping an old OpenSLL dll with it. That is, as long as you are linking with the latest OpenSLL you are okay.