Heartbleed is a programming flaw in
Heartbeat, an extension for OpenSSL, itself an encryption tool to help
make websites and online communication more secure.
German computer programmer Robin Seggelman has been outed as the
man whose coding mistake, now known as Heartbleed, has left millions of
internet users and thousands of websites vulnerable to hackers.
The
discovery, by a Google engineer and Finnish security firm Codenomicon,
has prompted experts to call on people to change their passwords to
most, if not all, websites they subscribe to after site owners have
fixed their vulnerabilities.
Dr Seggelman, 31, from the small town
of Oelde in north-west Germany, is a contributor to the Internet
Engineering Task Force (IETF), a not-for-profit global group whose
mission is to make the internet work better. He is attached to the
Munster University of Applied Sciences in Germany, where, as research
associate in the networking programming lab in the department of
electrical engineering and computer science, he has published a number
of papers, including his thesis on strategies to secure internet
communications in 2012. He has been writing academic papers and giving
talks on security matters since 2009, while still a PhD student.
His academic research influence
index score
of two, based on the number of scientific citations of his work,
suggests an influential thinker at the early stages of his scientific
career.
According to his Xing profile, Dr Seggelman has worked for
Deutsche Telekom IT services subsidiary T-Systems, possibly the largest
such consultancy in Germany, since 2012, as a solutions architect.
Is
this a man who would purposefully leave a gaping hole in the internet,
which the US National Security Agency could have been exploiting to spy
on people's communications?
Dr Seggelman denied this in an
interviewwith Fairfax Media on Thursday. He said: "It's tempting to
assume that, after the disclosure of the spying activities of the NSA
and other agencies, but in this case it was a simple programming error
in a new feature, which unfortunately occurred in a security-relevant
area.
"It was not intended at all, especially since I have
previously fixed OpenSSL bugs myself, and was trying to contribute to
the project," he said.
OpenSSL is an open-source software project.
Open-source projects are by their nature open to others to contribute.
No one owns the code; no one is liable.
Willy Susilo, director of
the Centre for Computer and Information Security Research at the
University of Wollongong, said computer science students are encouraged
to contribute to open source and are taught the ethics of the movement.
They are taught to take their role responsibly, with the pressure to get
it right looming higher depending on the project they are working on.
But they also know that someone else in the community will review their
work.
In the case of Heartbleed, the reviewer, Dr Stephen Henson, a UK consultant on OpenSSL, also missed the mistake.
Professor
Susilo said that is not unusual. "It was just a development mistake
when creating the algorithm. It's a serious mistake but a normal
mistake."
He points to another encryption coding mistake discovered in 2004 on a version of
GNU Privacy Guard, itself a version of Pretty Good Privacy, a popular email encryption tool.
Phong
Q. Nguyen, Author of the GNUPG paper Phong Q. Nguyen noted that "bad
cryptography is much more frequent than good cryptography", and the
"fact that a source code can be read does not imply that it is actually
read, especially by cryptography experts".
"A reviewer would only
look at the way [the algorithm] works, not at the code of the program
that was submitted. The same happened with GNUPG, the reviewer accepted
the code."
Professor Dr Michael Tuexen who supervised Dr
Seggelmann's PhD told Fairfax Media Heartbleed was a mistake, a "small
bug with a huge impact. Nothing less, nothing more."
"Please note
that he initially also fixed several bugs in the OpenSSL. Most of the
submitted patches were finally accepted by the project. So adding the
feature was not his first patch. Unfortunately, this patch contained the
bug," Dr Tuexen said.
Meanwhile, Dr Seggelmann evaded questions
on how he feels about being the author of such an infamous mistake and
what it means for his current and future work. In an indication that he
may fear the repercussions, he instead requested Fairfax Media not use
any photos of him, although some are publicly available on the internet.
"It does not help anyone if this bug is associated with me personally," he said.
And he suggested that the more contributors to the open-source movement, the better the chance of mistakes being averted.
"I
would prefer that you use the opportunity to make people aware that
security is an important issue, and that incidents like this can best be
prevented by more people participating in development and reviews of
security-relevant software."
Professor Susilo said the open-source
movement had already mobilised to fix the fault and it was now up to
individual websites using the OpenSSL encryption to patch their systems.
"There is no one to blame. The code is always evolving," he said.
He
reminded people to change passwords on all sites they subscribe to as
it was just about impossible for individual users to tell which sites
used OpenSSL.
Mashable has compiled a
handy chart
to guide users. Change passwords now for: Facebook, Instagram,
Pinterest, Tumblr, Google, Yahoo, Dropbox, Minecraft and Amazon Web
Services.