Heartbleed: Coder responsible for 'catastrophic' bug says it can be 'explained pretty easily'
Robin Seggelmann says that Heartbleed was an honest mistake and had nothing to do with surveillance by government security agencies
The programmer responsible for creating the Heartbleed bug that affected millions of websites across the web has come forward to say that the flaw was a mistake and can “be explained pretty easily”.
Robin Seggelmann was working on the OpenSSL software that is used as encryption by major websites as part of his PhD when he amended a section of the code known as the “heartbeat”.
The "heartbeat" lets servers exchange brief messages with the user to check they’re still there. The user’s computer sends the server a randomly-chosen message (for example ‘coffee’) and its length (‘six characters long’).The server then returns this message to confirm that communications between the two are still working fine.
Seggelmann’s piece of code unfortunately created a loophole that let malicious users trick the server by claiming that their random message was as long as 64,000 characters. So, in the example above, the server sends back the word ‘coffee’ as well as tens of thousands of characters of potentially damaging information.
As far as hacking attacks go, exploiting Heartbleed would have been an imprecise and slow process, but if users requested enough slices of random information, sooner or later they’d find something sensitive.
“Catastrophic" is the right word," said security expert Bruce Schneier on the potential impact of the bug. "On the scale of 1 to 10, this is an 11."
Heartbleed was introduced to OpenSSl by Seggelmann on New Year’s Eve in 2011, but was only discovered this year by researchers from Google and a Finnish security group known as Codenomicon.
SSL stands for Secure Sockets Layer and is a type of encryption technology used in varying forms by websites to keep their users’ data secure. OpenSSL, the software that contained the bug, is an open source implementation of SSL, meaning that developers around the world contribute to and check its contents for free.
"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," Seggelmann has told the Sydney Morning Herald. "In one of the new features, unfortunately, I missed validating a variable containing a length."
Seggelmann has admitted that the error was “quite trivial” but that its impact was “severe".
"It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project."
This admission may assuage those who have suggested that the flaw was introduced by intelligence agencies in order to snoop on the traffic, but as Seggelmann himself has said, just because the bug was a mistake doesn’t mean that it hasn’t been exploited by the likes of the NSA and GCHQ.
"It is a possibility, and it's always better to assume the worst than best case in security matters," said Seggelmann.
Life & Style blogs
Men in tights: getting to the bottom of the latest trend
Snapchat removed the Best Friends list feature and 'stalkers' are upset
Night Nurse could put drivers over new drug limit
Stephen Hawking: NHS is Britain's finest public service and must be preserved from commercial interests
Baldness could soon be treated using stem cells, scientists hope
9 reasons Greece's experiment with the radical left is doomed to failure
Have we reached 'peak food'? Shortages loom as global production rates slow
Greece elections: Syriza and EU on collision course after election win for left-wing party
British grandmother Lindsay Sandiford faces execution by firing squad in Indonesia
Liberal Democrat minister defends comments suggesting immigration causes pub closures
King Abdullah dead: We can't afford not to hold Saudi Arabia's royals to account
- 1 Venezuela Expo Tattoo 2015: Extreme body art from 'Vampire Woman' to 109mm earlobes
- 3 Ball pool for adults opens in London
- 4 Amal Clooney gives excellent response to fashion question at European Court of Human Rights
- 5 Rashida Jones speaks out against male-centric porn saying 'women should have sex and feel good about it'
iJobs Gadgets & Tech
£6240 per annum: Recruitment Genius: This company is a well established websit...
£40000 - £60000 per annum: Recruitment Genius: This is a fantastic opportunity...
£25000 - £35000 per annum: Recruitment Genius: A skilled .NET developer with e...
£25000 - £30000 per annum: Recruitment Genius: This IT support company are cur...