Everyone that has any type of interest in their security as they browse the Internet has heard about Heartbleed by now – the famous OpenSSL bug that has ruined Internet safety for the entire world.
Robin Seggelmann, a German software developer, is the one who unknowingly allowed this to happen, making what’s been dubbed as a rookie’s mistake.
In an interview for the Sydney Morning Herald, Seggelmann explains his mistake and how a moment of negligence ended up being such a serious issue. The developer says he did not insert the bug with the intent to do so.
“I was working on improving OpenSSL and submitted numerous bug fixes and added new features. In one of the new features, unfortunately, I missed validating a variable containing a length,” he explained.
The error wasn’t noticed by the reviewer either and so Heartbleed ended up in the released version of OpenSSL.
Prior to this, Seggelmann was commonly fixing OpenSSL bugs and trying to contribute to the project. While he admits that it can be easy to believe that the bug was inserted maliciously, that wasn’t the case. “It was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said.
The developer says that it is quite possible for intelligence agencies to have made use of the bug in the past two years, admitting that it’s always better to assume the worst than best case in security matters.
That being said, he urged more people to keep an eye over the code going into open source software, especially with something like OpenSSL, mentioning that the more people look at it, the better.
The encryption bug, called Heartbleed, has caused quite a bit of trouble. The problem exposed large parts of the Internet that were supposed to be protected against anyone knowing where to look. The protocol is used by some two thirds of the world’s websites, which means that there are a lot of unsafe sites out there that you need to be careful with, especially when inputting personal data, including passwords and bank account information.
Not only was information exposed, but a server’s private encryption keys were also up for grabs. These could then be used by criminals to decrypt data sent between a user of the website and the server.
This is the most severe security issues to hit the Internet in a very long while.