Heartbleed coder: bug in OpenSSL was an honest mistake
By Nicole Kobie
Posted on 10 Apr 2014 at 16:46
The Heartbleed bug in OpenSSL wasn't placed there deliberately, according to the coder responsible for the mistake.
The Heartbleed bug leaks a small slice of memory from web servers and client PCs, letting anyone who knows of the flaw nab passwords, card details, and even encryption keys.
OpenSSL logs show that German developer Robin Seggelmann introduced the bug into OpenSSL when working on the open-source project two and a half years ago, according to an Australian newspaper. The change was logged on New Year's Eve 2011.
Find out moreHeartbleed bug: don't change all your passwords
"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," Seggelmann told the Sydney Morning Herald. "In one of the new features, unfortunately, I missed validating a variable containing a length."
His work was reviewed, but the reviewer also missed the error, and it was included in the released version of OpenSSL.
The severity of the bug, and the fact that it can be exploited without leaving any trace, has led some to pin the blame on spies - a common refrain after Edward Snowden's leaks about the NSA.
Security guru Bruce Schneier has discussed that possibility in a blog post: "The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything," he said. "My guess is accident, but I have no proof."
Seggelman said it was indeed an accident, calling it a "simple programming error".
"It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project," he told the Australian newspaper.
While he said the flaw wasn't intentional, he acknowledged the possibility that security services had used it for spying, saying "it's always better to assume the worst than best case in security matters".
Indeed, amid the debate about whether and when passwords should be changed, there's a more frightening prospect, noted one security expert: "We need to keep reminding ourselves that for the last two years a huge amount of stuff that we thought was private was not private," Geoff Webb, senior director of solution strategy at NetIQ, told PC Pro.
Seggleman defended open-source development, saying the missed flaw highlights the need for more people to help out on such projects.
However, Webb pointed out that it's impossible not to have flaws in code, not least because for every person working to secure a process, there's someone working to break it.
"The reality is there's no way to make code perfect... any time you think you've built an unsinkable ship, there's an iceberg out there waiting for it," Webb said.
In this case, as Seggleman revealed, the flaw was a small one in a "security relevant" area.
"The reality is there are certain pieces of tech that it's if not done right, it can undermine a lot," said Webb. "If these things get undermined then everything else you build after that is really very shaky... if they go wrong, they affect a lot of people. So get those right first. Then check them, and recheck them. And then watch them."
The openSSL bug is not a good way of reliably getting information. It gives you a random 64KB of information. It may leak credentials, but more likely the certificate - which is the real problem here.
To get usable information of millions of credentials, there are much easier ways to go about it.
What is worrying about Heartbleed is that it can leak the key to the encryption with the server, meaning anyone who gets the information can spoof the server and visitors will only see the genuine certificate, they will not be able to tell they are talking to a rouge sever.
By big_D on 11 Apr 2014
Pesky red servers...
predictive typing software? some different colour server blades would be nice to see occasionally.
What really needs to stop is the media telling people to change passwords immediately. If account credentials can be accessed then this won't make any difference until the affected servers have been patched. At which time the companies using the affected servers should be contacting affected customers about changing passwords.
By mr_chips on 11 Apr 2014
This is the ONLY place that is broadcasting correct information about the source of the bug and its timeline. Bravo.
By flybd5 on 13 Apr 2014
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- Apple Watch, iPhone 6 and 6 Plus: Tim Cook's Apple back with a bang?
- BT Home Hub 5: how to get maximum speed
- 20 years of PC Pro: one-star reviews (including "the worst tablet we've ever seen")
- 20 years of PC Pro: our best covers
- Why we've closed the PC Pro forums
- How to sell more ebooks on Amazon
- 10 ways to make your business more secure
- Top five VoIP mistakes
- How to add in-app purchasing to an iPhone, Android or Windows app
- Remote-control ransomware: TeamViewer and software hardball
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office