HeartBleed OpenSSL Bug
The Heartbleed Bug was a "simple programming error" according to the German developer responsible but could have been exploited for months.

It was 11pm on New Year's Eve in 2011, and while most of the world was out partying, in the small town of Oelde in north-west Germany, respected software developer Dr. Robin Seggelmann was busy submitting 20 changes to the code of OpenSSL, the open source encryption software used to protect the communications taking place on millions of websites around the world.

Seggelmann is one of a small army of volunteers spread across four continents who look after the code behind OpenSSL, which has been around since the 1990s.

Seggelmann's code was flawed. It was subsequently reviewed by Dr. Stephen Henson who also missed the error. The code was signed off and the update was pushed out to an unsuspecting online world.

The mistake was "a simple missing bounds check in the code that handles TLS 'heartbeat' messages" according to renowned cryptographer Matthew Green, but that tiny mistake has this week had huge repercussions.


The Heartbleed Bug, as the flaw has become known, wasn't publicly reported until Monday, after it was discovered by Finnish security company Codenomicon and separately by Google researcher Neel Mehta, in the last couple of weeks.

While most of the major websites and services which were compromised have now been patched, no one has any idea how long this flaw was known about by those who wanted to keep it a secret.

Speaking to the Sydney Morning Herald about the error, Seggelmann said "I was working on improving OpenSSL and submitted numerous bug fixes and added new features. In one of the new features, unfortunately, I missed validating a variable containing a length."

"Simple programming error"

Some, including renowned security expert Bruce Schneier have asked if this was a deliberate attempt to undermine the security of OpenSSL, possibly by those working for law enforcement agencies such as the NSA or GCHQ - allegations given much more weight of course following Edward Snowden's revelations about widespread and indiscriminate surveillance.

Seggelmann addressed this question saying there was nothing malicious in what he did, and that it was a "simple programming error."

Seggelmann added: "It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project."

In the wild

HeartBleed OpenSSL Bug

Whether or not Seggelmann is telling the truth, the Electronic Frontier Foundation (EFF) says it has discovered proof that the Heartbleed Bug was being exploited in November of last year, much earlier than the rest of the world learned about it on Monday.

The EFF's conclusion is based on the work of Terrence Koeman who discovered what looks like the Heartbleed flaw being exploited back in November 2013.

The EFF points out that the two IP address associated with this particular attack are part of a bigger bonnet which is being used to record huge swathes of conversations taking place on IRC networks.

The EFF concludes: "This is an activity that makes a little more sense for intelligence agencies than for commercial or lifestyle malware developers."

The campaigning group is also calling on the networking community to gather more evidence by checking TLS-layer traffic logs for malicious heartbeats.

Who knew and when?

The Heartbeat Bug has caused huge waves across the internet this week. While websites rush to patch their software and (hopefully) issue new encryption keys, internet users are trying to decide if or when they should be changing their passwords.

The real problem however is that since Seggelmann pushed his flawed code on 31 December, 2011 no one knows who has been aware of the vulnerability or when they may have begun to exploit it.

The exploit leaves no trace and while we may discover more evidence of malicious heartbeats, it is likely we will never know the extent to which criminals or spy agencies have been using heartbleed to monitor our online activity.