‘Heartbleed’ developer talks about the error in OpenSSL programming
Apr 11, 2014
An image of a bleeding heart is currently the symbol for a security flaw in the OpenSSL encryption software used by many Internet services, including the T-Online e-mail service.
Read one of the latest posts (German-language) from our Security Special to find out what steps Deutsche Telekom has taken to close the Heartbleed gap on its servers and for advice from our experts to help customers stay safe when it comes to e-mails, virus protection and passwords.
This topic is currently making headlines across the world’s media, with some articles calling it the most serious security incident in the history of the Internet. The Guardian has an interesting article on what customers need to do to stay safe.
Germany’s news portal Spiegel Online reported that the individual who wrote the faulty software is now a DT employee. Our colleague - who is now the subject of absurd conspiracy theories - has given us his side of the story, which we would like to publish here. With respect for his privacy, however, we will not reveal his name.
"I was working on a research project at the University of Münster using the OpenSSL encryption library and releasing bug fixes and new features that were developed as part of my work on the OpenSSL project. The various changes were checked by a member of the OpenSSL development team and then incorporated into the official code. In connection with one extension, the TLS/DTLS Heartbeat extension, I failed to check that one particular variable, a unit of length, contained a realistic value. This is what caused the bug, called Heartbleed after the extension. Unfortunately, the OpenSSL developer who reviewed the code also did not notice that a mistake had been made when carrying out the check. As a result, the faulty code was incorporated into the development version, which was later officially released.
Because no plausibility check had been carried out on the length, by entering invalid values it was possible to read more memory than intended. This meant it was possible to access security-related data, turning a simple mistake into one with massive consequences.
“It is impossible to say whether the vulnerability, which has since been identified and removed, has been exploited by intelligence services or other parties.
“It is imperative that critical, security-related software is monitored as often as possible in order to prevent errors like this happening again in future - or, at least, to reduce the likelihood of problems on this scale remaining undiscovered for so long. That is one of the major advantages of Open Source Software, which is available to everyone who wants to be a part of it. But OpenSSL in particular still lacks the support it needs, despite being extremely widely available and used by millions. Although there are plenty of users, there are very few actively involved in the project."
Reporting security incidents
Please contact the Cyber Emergency Response Team (CERT) if you have any information about cyber attacks or systems weaknesses.