German software developer, Robin Seggelmann, who introduced the security flaw Heartbleed said in an interview with the Sydney Morning Herald that he did not intentionally introduce the bug intentionally.
Dr Seggelmann, of Muenster in Germany, said that the bug that introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.
"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," he said. "In one of the new features, unfortunately, I missed validating a variable containing a length." After he submitted the code, a reviewer "apparently also didn’t notice the missing validation," Dr Seggelmann said, "so the error made its way from the development branch into the released version." Logs show that reviewer was Dr Stephen Henson. Dr Seggelmann said the error he introduced was "quite trivial," but acknowledged that its impact was "severe."
Conspiracy theorists and security advisors around the world have speculated that the bug was inserted maliciously and intentionally. However, Dr Seggelmann said it was "tempting" to assume this, especially after the disclosure by Edward Snowden of the spying activities conducted by the NSA and others.
"But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area," he said. "It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project."
Taking this ahead, we could feel a bit relaxed that the bug was not introduced by a hacker, and our online passwords and data could be safe. However, since the Heartbleed bug was unearthed, there could be possibilities that a hacker could have exploited the bug to his benefit. In any which ways, it is recommended that you change all your online passwords immediately.
About the Heartbleed bug:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
What is being leaked
Encryption is used to protect secrets that may harm your privacy or security if they leak. In order to coordinate recovery from this bug, we have classified the compromised secrets to four categories: 1) primary key material, 2) secondary key material and 3) protected content and 4) collateral.
How you are affected by the bug
You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.
Versions of the OpenSSL that are affected
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
Operating systems that is vulnerable
- Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
- Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
- CentOS 6.5, OpenSSL 1.0.1e-15
- Fedora 18, OpenSSL 1.0.1e-4
- OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
- FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
- NetBSD 5.0.2 (OpenSSL 1.0.1e)
- OpenSUSE 12.2 (OpenSSL 1.0.1c)
Operating systems that are not vulnerable
- Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
- SUSE Linux Enterprise Server
- FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
- FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
- FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
