General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsHeartbleed's engineer: It was an 'accident'
http://www.zdnet.com/heartbleeds-engineer-it-was-an-accident-7000028335/The Heartbleed bug has rocked the security industry and web services in the past few days. However, the programmer responsible for the oversight says that it was an accident that the flaw was introduced in the first place.
Heartbleed is an encryption flaw which affects OpenSSL's 1.0.1 and the 1.0.2-beta release, 1.01 which is used widely across the web and in a number of popular web services. The flaw can theoretically be used to view apparently-secure communication across HTTPS, usually denoted by a small closed padlock in a browser's address bar.
The data potentially at risk includes everything from passwords and encryption keys to financial details and personal identifiable information -- allowing a hacker to dip in, swipe data, and leave no trace of their existence.
Commenting on the discovery, Bruce Schneier wrote on his security blog Schneier on Security:
more at link above
bemildred
(90,061 posts)The programmer responsible for creating the Heartbleed bug that affected millions of websites across the web has come forward to say that the flaw was a mistake and can be explained pretty easily.
Robin Seggelmann was working on the OpenSSL software that is used as encryption by major websites as part of his PhD when he amended a section of the code known as the heartbeat.
The "heartbeat" lets servers exchange brief messages with the user to check theyre still there. The users computer sends the server a randomly-chosen message (for example coffee) and its length (six characters long).The server then returns this message to confirm that communications between the two are still working fine.
Seggelmanns piece of code unfortunately created a loophole that let malicious users trick the server by claiming that their random message was as long as 64,000 characters. So, in the example above, the server sends back the word coffee as well as tens of thousands of characters of potentially damaging information.
http://www.independent.co.uk/life-style/gadgets-and-tech/news/coder-responsible-for-catastrophic-heartbleed-bug-says-it-can-be-explained-pretty-easily-9254053.html