The Internet bug known as Heartbleed was introduced to the world on New Year's Eve in December 2011. Now, one of the people involved is sharing his side of the story.
Programmer Robin Seggelmann says he wrote the code for the part of OpenSSL that led to Heartbleed. But it was an accident. He submitted the code to the OpenSSL project and other members reviewed it. Seggelmann later added another piece of code for a new feature, which the members then added. It was this added feature that introduced the bug.
Seggelmann told the Sydney Morning Herald that the actual error was "trivial," but that its impact was clearly severe. Since he and the reviewers missed the flaw, it eventually made its way to the official release, which went live on Dec. 31, 2011, according to logs.
Heartbleed is a vulnerability in the encryption that many sites use to ensure that your communications can't be intercepted. Theoretically, up to two-thirds of the Internet traffic was exposed for more than two years. Engineers at security firm Codenomicon discovered the flawlast week, and it was publicly announced on April 7.
"If more people participated in improving OpenSSL, it could be required to have multiple independent reviews for each submission or people could specialize in reviewing specific parts of the software," he said.
For now, most sites affected have patched the bug. But the emergence of Heartbleed puts a spotlight on where certain responsibilities lie with open-source software. As tools like OpenSSL become widespread, it can lead to a disparity between the number of services that use them and the number that actually contribute. As Heartbleed confirms, nothing is truly free.
0 comments:
Post a Comment