The Washington Post

The man who says he gave the Internet ‘Heartbleed’ talks about his mistake

On New Year’s Eve in 2011, software developer Robin Seggelmann was in front of his computer trying to work out some kinks in the security software most of the Internet uses.

That’s when he made a mistake, which led to one of the worst bugs ever in the Internet known as  “Heartbleed,” a flaw in the security infrastructure (OpenSSL) for a large swath of the Web.

Nowadays, it’s unusual for someone to step up and take responsibility, But Seggelmann, a German developer, did just that.

He told his story to Ben Grubb of The Sydney Morning Herald:

“I was working on improving OpenSSL and submitted numerous bug fixes and added new features…In one of the new features, unfortunately, I missed validating a variable containing a length.”

After he submitted the code, a reviewer “apparently also didn’t notice the missing validation,”  Seggelmann said, “so the error made its way from the development branch into the released version.”

Dr Seggelmann said the error he introduced was “quite trivial,” but acknowledged that its impact was “severe.”

Seggelmann, who lives in Münster, Germany, told the Herald he didn’t insert the error on purpose, as some conspiracy theorists have suggested.

“It was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” he said. “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”

Codenomicon, a Finnish security firm, discovered the bug now known as “Heartbleed” last week. But for the past several years, users’ passwords, credit card numbers, e-mails and other personal data have been available to anyone who knew how to exploit the weakness, like hackers or the National Security Agency.

Seggelmann told the Herald that intelligence agencies could have exploited the flaw to spy on people.

“It is a possibility,” Seggelmann said, “and it’s always better to assume the worst than best case in security matters.”

Who is Segglemann? According to Australia’s The Age:

Seggelman, 31, from the small town of Oelde in north-west Germany, is a contributor to the Internet Engineering Task Force (IETF), a not-for-profit global group whose mission is to make the internet work better. He is attached to the Munster University of Applied Sciences in Germany, where, as research associate in the networking programming lab in the department of electrical engineering and computer science, he has published a number of papers, including his thesis on strategies to secure internet communications in 2012. He has been writing academic papers and giving talks on security matters since 2009, while still a PhD student.

Apparently, mistakes such as Seggelmann’s aren’t rare. Programmers on Reddit sympathized with him and swapped stories of their own coding errors.

“Really, the only reason that most of us haven’t caused such a massive f—up is that we’ve never been given the opportunity,” one wrote.

So if errors like these are easy to make and have potentially disastrous consequences, why isn’t something being done?

“It would be better if more people helped improving [OpenSSL],” Seggelmann told Mashable via e-mail. “The more people look at it, the less likely errors like this occur.”

Farhood Manjoo, writing in the New York Times, called the error “the computer programming equivalent of misspelling Mississippi — an error at once careless, inevitable and hard for most human eyes to spot.”

He wrote:

The bug known as Heartbleed, a flaw widely replicated in the main system for encrypting consumers’ online data, is a stark reminder that the Internet is still in its youth, and vulnerable to all sorts of unseen dangers, including simple human error. Today’s digital systems are complex and penetrate every corner of our lives. It is impossible to lock them down.

Gail Sullivan covers business for the Morning Mix blog.



Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Show Comments

Sign up for email updates from the "Confronting the Caliphate" series.

You have signed up for the "Confronting the Caliphate" series.

Thank you for signing up
You'll receive e-mail when new stories are published in this series.
Most Read



Success! Check your inbox for details.

See all newsletters

Your Three. Videos curated for you.
Play Videos
From clubfoot to climbing: Double amputee lives life of adventure
Learn to make traditional soup dumplings
Deaf banjo player teaches thousands
Play Videos
Unconventional warfare with a side of ale
The rise and fall of baseball cards
How to keep your child safe in the water
Play Videos
'Did you fall from heaven?': D.C.'s pick-up lines
5 ways to raise girls to be leaders
How much can one woman eat?
Play Videos
How to get organized for back to school
How to buy a car via e-mail
The signature drink of New Orleans
Next Story
Soraya Nadia McDonald · April 11, 2014

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.