The German software developer who introduced a security flaw into an encryption protocol used by millions of websites globally says he did not insert it deliberately as some have suggested.
In what appears to be his first comments to the media since the bug was uncovered, Robin Seggelmann said how the bug made its way into live code could “be explained pretty easily”.
The encryption flaw, called Heartbleed, has exposed large swathes of the internet to malicious exploitation, prompting some security experts to warn internet users against even using the web for the next few days.
The bug introduced a flaw into the popular OpenSSL software, which is used by many popular social networking websites, search engines, banks, and online shopping sites to keep personal and financial data safe. It allowed those who knew of its existence to intercept usernames, passwords, credit card details, and various other sensitive information from a website’s server in plain text.
It also allowed for a server’s private encryption keys to be stolen. Once stolen, these keys can be used by criminals to decrypt data sent between a website’s server and a user of that website.
“On a scale of one to 10, it is an 11,” renowned security expert Bruce Schneier said of the bug.
Dr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.
“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said.
“In one of the new features, unfortunately, I missed validating a variable containing a length.”
After he submitted the code, a reviewer “apparently also didn’t notice the missing validation”, Dr Seggelmann said, “so the error made its way from the development branch into the released version.” Logs show that reviewer was Dr Stephen Henson.
Dr Seggelmann said the error he introduced was “quite trivial”, but acknowledged that its impact was “severe”.
A number of conspiracy theorists have speculated the bug was inserted maliciously.
Dr Seggelmann said it was “tempting” to assume this, especially after the disclosure by Edward Snowden of the spying activities conducted by the US National Security Agency and others.
“But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said.
“It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”
Despite denying he put the bug into the code intentionally, he said it was entirely possible intelligence agencies had been making use of it over the past two years.
“It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know [about] the bug until it was released and [I am] not affiliated with any agency, I can only speculate.”
Benefits of discovery
If anything had been demonstrated by the discovery of the bug, Dr Seggelmann said it was awareness that more contributors were needed to keep an eye over code in open source software.
“It’s unfortunate that it’s used by millions of people, but only very few actually contribute to it,” he said.
“The benefit of open source software is that anyone can review the code in the first place.
“The more people look at it, the better, especially with a software like OpenSSL.”
For specialist advice regarding your specific circumstances, please contact the BCR team.