Body： Lately we built a Chrome Extension called Ballloon, which enables people to save any files on webpages they need directly and quickly to Dropbox or Googledrive.To guarantee the users' account safety, we chose to go Https, while, what makes us uptight is that there's a huge and severe bug living with OpenSSL, Heartbleed. We are grateful to anyone answeres my questions below:
1. How does Heartbleed work?
2. What can we do to avoid Heartbleed bug?
3. Should extensions like http://www.ballloon.com keep free from Heartbleed, if yes, how ?

https://chrome.google.com/webstore/detail/ballloon/kbmligehjhghebleanjcmenomghmcohn

Thanks

from the best of my understanding:
1) the client and server send heart beats back and forth. you can fake a heart beat and get the server to send you whats stored in the ram, meaning you could get certain passwords and credentials

2) use as much authentication as you can. for example i use mobile authentication and oauth tokens with my github account (which actually uses openssl)

3) i dont think google drive uses openssl and dropbox probably would have applied the patch by now

I believe Heartbleed has already been taken care of?

yes there is a patch for it, but its not guaranteed that every site has applied it. for example last time i checked github they said nothing about having applied it yet

Github has as of April 8th https://github.com/blog/1818-security-heartbleed-vulnerability

ah ok. thats good to know

If your using OPEN SSL you might have to worry, but as far as I know it
was patched at the start of April, use Blackbox if you need top security as
the exploit is not in this paid version of Secure sockets Layer.


:)