Home »  Money

Heartbleed creator says bug wasn't intentional

Saturday, 12 April 2014 - 9:50am IST | Place: Mumbai | Agency: DNA

A German software programmer has taken responsibility for the 'Heartbleed' bug affecting millions of online passwords, saying that he accidentally inserted the encryption glitch into code.

Robin Seggelmann said in a blog that the problem occurred while he was working on fixing problems in OpenSSL, a popular open-source software that helps encrypt data.

The programmer, who now works for a division of Deutsche Telekom, had worked on OpenSSL while studying at University of Duisburg-Essen, Germany.

"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," he told the Sydney Morning Herald.

"In one of the new features, unfortunately I missed validating a variable containing a length."

The programmer who reviewed his code, Stephen Henson, a PhD, missed the error completely as well.

By exploiting that small mistake, an attacker can steal a big slice of data from a computer's main memory, which can contain user names, passwords, and content, endangering much of the Web's most private content.

In the wake of Edward Snowden's revelations of massive NSA internet surveillance, questions quickly popped up, asking if Seggelmann had done this on purpose in an effort to build a backdoor into one of the internet's most important security tools.

Seggelman has denied deliberately inserting the flaw, saying it could "be explained pretty easily". However, it remains a possibility that intelligence agencies like the NSA have made use of the vulnerability.

"It is a possibility, and it's always better to assume the worst than best case in security matters, but since I didn't know the bug until it was released and (I am) not affiliated with any agency," Seggelmann said.

A year after writing the catastrophic bug, Seggelmann completed his PhD thesis titled "Strategies to Secure End-to-End Communication" at the University of Duisburg-Essen.

The OpenSSL team, including Seggelmann and Henson, is small and receives essentially no pay despite maintaining one of the world's most popular and important pieces of open-source software. With this notable exception, the team has a stellar security record, as OpenSSL has been expanded to support the massive count of over 80 platforms.




Jump to comments

RELATED