What is the Heartbleed software bug?

Posted Apr 12, 2014

Heartbleed is a software bug in the open-source cryptography library OpenSSL. The cybersecurity problem started on New Year’s Eve 2011, around an hour before the midnight on a Saturday. A British computer consultant in Staffordshire, England posted a new version of the popular free cryptographic system OpenSSL.

Dr. Stephen Henson, the British consultant, reviewed and approved the update. The update was written by a German graduate student at the University of Muenster named Robin Seggelmann. Both of them did not realize that the OpenSSL version 1.0.1 they released that night had a flaw that was detected this week and caused panic across the world because it could allow hackers to access a server’s security-related data.

Companies like Yahoo!, Netflix, and Flickr quickly reacted and had to make adjustments to prevent vulnerabilities caused by Heartbleed. This issue also points out how much the Internet relies on open-source software like OpenSSL. Seggelmann is now a 31-year-old programmer at Deutsche Telekom AG.

Seggelmann has been accused of writing faulty code of helping out an intelligence agency like the U.S. National Security Agency (NSA).

Seggelmann said that the flaw was a simple mistake with one with massive consequences. Seggelmann specialized in communications and encryption. He contributed to the OpenSSL project several times while he worked as a research assistant in electrical engineering and computer science at the University of Muenster.

?I was working on a research project at the University of M√ľnster using the OpenSSL encryption library and releasing bug fixes and new features that were developed as part of my work on the OpenSSL project,? said Seggelmann. ?The various changes were checked by a member of the OpenSSL development team and then incorporated into the official code.?

Dr. Henson provided the input to Seggelmann. Henson is the only member of the OpenSSL core team that works full-time on the project.

Security experts said that it is unlikely that the problem was inserted maliciously because it was in plain sight and is a common flaw that is written in the C programming language.

Bloomberg reported on Friday that the NSA was aware of the Heartbleed vulnerability for at least two years and used it for gathering intelligence. The NSA denied this accusation.

Seggelmann wrote an update that dealt with the heartbeat extension, which is a protocol that maintains a secure connection between a remote user and a web server. This bounces back and forth chunks of data, called heartbeats, to ensure the connection stays alive. Seggelmann did not set a limit on the amount of data being sent back to the user, which means that additional information could leak out of the computer processing memory.

A hacker that is persistent that could keep sending heartbeat requests and collect the resulting data leak until the computer sends out a password or an encryption key.

?I failed to check that one particular variable, a unit of length, contained a realistic value. This is what caused the bug,? said Seggelmann. ?Unfortunately, the OpenSSL developer who reviewed the code also did not notice that a mistake had been made when carrying out the check. As a result, the faulty code was incorporated into the development version, which was later officially released.?

The reason why open-source software is widely used is because it is free and because the original programming text is available for public scrutiny so that security flaws can be detected. The Heartbleed vulnerability was discovered by a Google Security programmer and a Finnish company called Codenomicon. The fix was made by volunteers as well.

OpenSSL started 15 years ago and is managed by a group of 4 people with another 7 programmers that are active contributors. The volunteers are mostly based in Britain and Germany. There is one volunteer in Canada. This makes OpenSSL a virtual operation. Many contributors have never met face-to-face. OpenSSL generally gets around $2,000 per year in donations, according to Steve Marquess. Marquess runs the OpenSSL Software Foundation.

The OpenSSL Software Foundation receives financing for the OpenSSL project by contracting out the work of the volunteer programmers. That labor earned over $1 million in gross revenue last year.

?OpenSSL is an under-the-hood component. Most people are never aware that it?s there, stated Marquess. This is why it is “being taken for granted.”

There is a backlog of hundred of code submissions from programmers due to a lack of resources. OpenSSL received $3,000 in donations due to the awareness of the bug that became public this week.