Heartbleed coder: bug in OpenSSL was an honest mistake

10 Apr 2014
heartbleed

The coder responsible for the Heartbleed flaw in OpenSSL has said the bug wasn't deliberate

The Heartbleed bug in OpenSSL wasn't placed there deliberately, according to the coder responsible for the mistake.

The Heartbleed bug leaks a small slice of memory from web servers and client PCs, letting anyone who knows of the flaw nab passwords, card details, and even encryption keys.

OpenSSL logs show that German developer Robin Seggelmann introduced the bug into OpenSSL when working on the open-source project two and a half years ago, according to an Australian newspaper. The change was logged on New Year's Eve 2011.

"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," Seggelmann told the Sydney Morning Herald. "In one of the new features, unfortunately, I missed validating a variable containing a length."

His work was reviewed, but the reviewer also missed the error, and it was included in the released version of OpenSSL.

On purpose?

The severity of the bug, and the fact that it can be exploited without leaving any trace, has led some to pin the blame on spies - a common refrain after Edward Snowden's leaks about the NSA.

Security guru Bruce Schneier has discussed that possibility in a blog post: "The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything," he said. "My guess is accident, but I have no proof."

Seggelman said it was indeed an accident, calling it a "simple programming error".

"It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project," he told the Australian newspaper.

While he said the flaw wasn't intentional, he acknowledged the possibility that security services had used it for spying, saying "it's always better to assume the worst than best case in security matters".

Indeed, amid the debate about whether and when passwords should be changed, there's a more frightening prospect, noted one security expert: "We need to keep reminding ourselves that for the last two years a huge amount of stuff that we thought was private was not private," Geoff Webb, senior director of solution strategy at NetIQ, told PC Pro.

Perfect code

Seggleman defended open-source development, saying the missed flaw highlights the need for more people to help out on such projects.

However, Webb pointed out that it's impossible not to have flaws in code, not least because for every person working to secure a process, there's someone working to break it.

"The reality is there's no way to make code perfect... any time you think you've built an unsinkable ship, there's an iceberg out there waiting for it," Webb said.

In this case, as Seggleman revealed, the flaw was a small one in a "security relevant" area.

"The reality is there are certain pieces of tech that it's if not done right, it can undermine a lot," said Webb. "If these things get undermined then everything else you build after that is really very shaky... if they go wrong, they affect a lot of people. So get those right first. Then check them, and recheck them. And then watch them."

Read more

News