The Programmer Behind Heartbleed Speaks Out: It Was an Accident


What's This?


Heartbleed-genesis
Image: Mashable composite. iStockphoto, duncan1890


The Internet bug known as Heartbleed was introduced to the world on New Year's Eve in December 2011. Now, one of the people involved is sharing his side of the story.


Programmer Robin Seggelmann says he wrote the code for the part of OpenSSL that led to Heartbleed. But it was an accident. He submitted the code to the OpenSSL project and other members reviewed it. Seggelmann later added another piece of code for a new feature, which the members then added. It was this added feature that introduced the bug.



Seggelmann told the Sydney Morning Herald that the actual error was "trivial," but that its impact was clearly severe. Since he and the reviewers missed the flaw, it eventually made its way to the official release, which went live on Dec. 31, 2011, according to logs.


Heartbleed is a vulnerability in the encryption that many sites use to ensure that your communications can't be intercepted. Theoretically, up to two-thirds of the Internet traffic was exposed for more than two years. Engineers at security firm Codenomicon discovered the flaw last week, and it was publicly announced on April 7.


As the name suggests, OpenSSL is open-source, which makes it attractive to many services, big and small, as an easily implemented security tool. Although anyone can contribute to OpenSSL — either by contributing code or reviewing it to spot vulnerabilities like Heartbleed — few actually do.


"It would be better if more people helped improving it," Seggelmann told Mashable via email. "It doesn’t really matter if companies benefitting from it provided some support, or if people do it in their spare time. However, if everybody just keeps using it and thinks somebody else will eventually take care of it, it won’t work. The more people look at it, the less likely errors like this occur."


While standards exist for reviewing code, they are difficult to enforce for open-source software. To improve the process, Seggelman suggests having more peer review, although that would require more people contributing time.


"If more people participated in improving OpenSSL, it could be required to have multiple independent reviews for each submission or people could specialize in reviewing specific parts of the software," he said.


For now, most sites affected have patched the bug. But the emergence of Heartbleed puts a spotlight on where certain responsibilities lie with open-source software. As tools like OpenSSL become widespread, it can lead to a disparity between the number of services that use them and the number that actually contribute. As Heartbleed confirms, nothing is truly free.


Have something to add to this story? Share it in the comments.


Topics: free and open source software, heartbleed, Heartbleed Bug, open source, OpenSSL, security




0 comments: