German engineer who created ‘Heartbleed’ bug says it was an accident
Say hello to Robin Seggelmann.
The name may not ring a bell, but his handiwork has gained worldwide notoriety. Seggelman, it seems, is the poor soul who wrote the flawed piece of code that has come to be known as the Heartbleed bug.
According to his profile on the LinuxTag conference website, Seggelmannis a “researcher for the transport protocols of the Internet. Occasionally his work find its way into standards of the Internet Engineering Taskorce (IETF). In a manner of speaking he helps writing the technical ‘laws’ of the Internet. The computer scientist travels encrypted through the net. He knows, how easily he can be watched.”
He lives in the German city of Munster and is among the community of programmers who contribute code to the OpenSSL project. OpenSSL is the open-source software that provides encryption for two-thirds of the Web’s servers.
Seggelmann told the the Sydney Morning Herald that he did not notice the error when he wrote the flawed code that became the Heartbleed bug two years ago. And when he submitted it, the error was also missed by the person who reviewed the code.
“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he told the Herald. “In one of the new features, unfortunately, I missed validating a variable containing a length.”
According to the Herald’s review of OpenSSL logs, the reviewer was Dr. Stephen Henson, a member of the project’s “core team.”
Seggelmann gave the interview in part to clarify that Heartbleed was a mistake, not deliberate. He wanted to counter rumors that it was part of some nefarious plot to create a backdoor to allow government security agencies to spy on Internet users.
“In this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he told the Herald. “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”