11 Apr 2014

OpenSSL Developer Expresses Regrets over Heartbleed Oversight

The OpenSSL developer who created the Heartbeat function – and, inadvertently,  the Heartbleed vulnerability - has expressed his regrets for omitting it, according to The Guardian.

The Germany-based developer, Robin Seggelmann submitted the update that enabled the Heartbeat function in 2011 at 11:59 on New Year’s Eve. The update created Heartbeat but also the Heartbleed vulnerability due to the “oversight” of an error.

"I am responsible for the error, because I wrote the code and missed the necessary validation by an oversight,” Seggelmann said. “Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version."

So far hackers could have critical data passing over the internet as the vulnerability has also been found in Cisco and Juniper routing gear.

Seggelmann worked as a developer on the OpenSSL project between 2008 and 2012 during his PhD studies and is no longer involved in the project.

He also said the datestamp was not relevant to the vulnerability: "The code… was the work of several weeks. It’s only a coincidence that it was submitted during the holiday season.”