The Heartbleed bug that was exposed last week has been labelled an ‘accident’ by the programmer responsible.
Heartbleed affects OpenSSL’s 1.0.1 and the 1.0.2 beta release, with a patch for 1.01 already being deployed. As Secure-Socket Layer (SSL) and Transport Layer Security (TLS) are at the heart of Internet security, this security hole is one of the largest security threats seen to date.
The Heartbleed flaw can potentially be used to reveal not just the contents of a secured-message over HTTPS, but the primary and secondary SSL keys themselves. This data could then, in theory, be used as a skeleton key to bypass secure servers without leaving any trace that a site had been hacked.
Robin Seegelmann, the OpenSSL programmer responsible for Heartbleed has denied it was inserted deliberately and said how the bug made its way into live code could “be explained pretty easily”. Seggelmann said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source ‘OpenSSL encryption protocol’ over two years ago. “I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said. “In one of the new features, unfortunately, I missed validating a variable containing a length.” After he submitted the code, a reviewer “apparently also didn’t notice the missing validation”, Dr Seggelmann said, “so the error made its way from the development branch into the released version.” Logs show that reviewer was Dr Stephen Henson.
With many websites and servers using the affected Heartbleed OpenSSL code, there is a large amount of concern over what websites and servers are now vulnerable. LastPass allows users to enter a web address to check if the website is vulnerable or has released a patch. It is currently recommended that anyone with a Yahoo, Okcupid or Github account change their password as soon as possible.