Skip to navigation
Latest News

Heartbleed coder: bug in OpenSSL was an honest mistake


By Nicole Kobie

Posted on 10 Apr 2014 at 16:46

The Heartbleed bug in OpenSSL wasn't placed there deliberately, according to the coder responsible for the mistake.

The Heartbleed bug leaks a small slice of memory from web servers and client PCs, letting anyone who knows of the flaw nab passwords, card details, and even encryption keys.

OpenSSL logs show that German developer Robin Seggelmann introduced the bug into OpenSSL when working on the open-source project two and a half years ago, according to an Australian newspaper. The change was logged on New Year's Eve 2011.

"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," Seggelmann told the Sydney Morning Herald. "In one of the new features, unfortunately, I missed validating a variable containing a length."

His work was reviewed, but the reviewer also missed the error, and it was included in the released version of OpenSSL.

On purpose?

The severity of the bug, and the fact that it can be exploited without leaving any trace, has led some to pin the blame on spies - a common refrain after Edward Snowden's leaks about the NSA.

Security guru Bruce Schneier has discussed that possibility in a blog post: "The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything," he said. "My guess is accident, but I have no proof."

Seggelman said it was indeed an accident, calling it a "simple programming error".

"It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project," he told the Australian newspaper.

While he said the flaw wasn't intentional, he acknowledged the possibility that security services had used it for spying, saying "it's always better to assume the worst than best case in security matters".

Indeed, amid the debate about whether and when passwords should be changed, there's a more frightening prospect, noted one security expert: "We need to keep reminding ourselves that for the last two years a huge amount of stuff that we thought was private was not private," Geoff Webb, senior director of solution strategy at NetIQ, told PC Pro.

Perfect code

Seggleman defended open-source development, saying the missed flaw highlights the need for more people to help out on such projects.

However, Webb pointed out that it's impossible not to have flaws in code, not least because for every person working to secure a process, there's someone working to break it.

"The reality is there's no way to make code perfect... any time you think you've built an unsinkable ship, there's an iceberg out there waiting for it," Webb said.

In this case, as Seggleman revealed, the flaw was a small one in a "security relevant" area.

"The reality is there are certain pieces of tech that it's if not done right, it can undermine a lot," said Webb. "If these things get undermined then everything else you build after that is really very shaky... if they go wrong, they affect a lot of people. So get those right first. Then check them, and recheck them. And then watch them."

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

Better ways

The openSSL bug is not a good way of reliably getting information. It gives you a random 64KB of information. It may leak credentials, but more likely the certificate - which is the real problem here.

To get usable information of millions of credentials, there are much easier ways to go about it.

What is worrying about Heartbleed is that it can leak the key to the encryption with the server, meaning anyone who gets the information can spoof the server and visitors will only see the genuine certificate, they will not be able to tell they are talking to a rouge sever.

By big_D on 11 Apr 2014

Pesky red servers...

predictive typing software? some different colour server blades would be nice to see occasionally.

What really needs to stop is the media telling people to change passwords immediately. If account credentials can be accessed then this won't make any difference until the affected servers have been patched. At which time the companies using the affected servers should be contacting affected customers about changing passwords.

By mr_chips on 11 Apr 2014


This is the ONLY place that is broadcasting correct information about the source of the bug and its timeline. Bravo.

By flybd5 on 13 Apr 2014

Leave a comment

You need to Login or Register to comment.



Most Commented News Stories
Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing


Sponsored Links

Your email:

Your password:

remember me


Hitwise Top 10 Website 2010

PCPro-Computing in the Real World Printed from

Register to receive our regular email newsletter at

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.