Heartbleed software security error was not deliberate, says programmer

German programmer denies deliberately leaving ‘back door’ in OpenSSL encryption software

Programmer Robin Seggelmann said the ‘Heartbleed’ error in the OpenSSL software used to encrypt web communications was “fairly trivial” but, overlooked, had created a “fairly severe” security threat.

A German programmer has denied deliberately leaving a so-called back door when he programmed an update to software at the heart of the ‘Heartbleed’ worldwide online security scare.

The hole was left by Robin Seggelmann in the OpenSSL software used to encrypt web communications. For three years it potentially allowed unauthorised access to memory of computer systems running the software, compromising everything from email passwords to credit card numbers.

The programmer from the western city of Münster said he made the coding mistake in 2011 while contributing to the new “Heartbleed” function of OpenSSL, an open-source program to which anyone can contribute.

Changes submitted by programmers are reviewed for errors before being added to the final release and distribution via the web. Dr Seggelmann told Spiegel Online the mistake was "fairly trivial" but, overlooked, had created a "fairly severe" security threat.


Embedded faults
The faults in the code remained part of the final software release for over two years, potentially allowing data theft from websites that encrypted their connections with the SSL software.

With worldwide web security compromised, firms today raced to fix the problem.

Leading tech giant Google and its YouTube subsidiary announced today that they had patched their services. Facebook followed suit, saying there was no need for users to change their passwords. Of the major tech players, only Yahoo has encouraged users to change their passwords.

It also emerged today that the Heartbleed flaw has been found in the hardware connecting homes and businesses to the internet, underscoring the amount of time and effort that will be needed to defuse the threat.

Cisco Systems and Juniper Networks said some of their networking products were susceptible to the encryption bug.

Security experts urged consumers to change their web passwords immediately, but it will take longer to fix networking equipment and software because Cisco and Juniper will have to rely on customers applying the patches they push out, according to Jaime Blasco, director of internet security research firm AlienVault Labs.

'More painful'
"It's more painful to update these kinds of devices," Mr Blasco said. "You have to go one by one."

The vulnerability affects several of the routers, switches and security firewalls sold by Cisco and Juniper, the two manufacturers said in statements today.

Cisco said it would tell customers when software patches for its affected products were available. “We encourage our customers to visit our website for ongoing updates.”

Juniper issued a patch earlier this week for its most vulnerable products that feature virtual private network (VPN), technology. VPNs offer a secure way to connect remotely to corporate networks.

Derek Scally

Derek Scally

Derek Scally is an Irish Times journalist based in Berlin