The "Heartbleed" flaw that has turned internet security upside down was added to the open-source OpenSSL protocol on New Year's Eve 2011, experts now believe. It was entered by one man — German software developer Robin Seggelmann — and a subsequent review failed to pick up on the catastrophic coding error Seggelmann had made. "In one of the new features, unfortunately, I missed validating a variable containing a length," he told the Sydney Morning Herald. By now you're likely well familiar with the damage that's resulted from what he described as a "trivial" error.
Some have accused Seggelmann of intentionally adding the major security hole to OpenSSL, charges that he vigorously denies. After all, the reason he was working on OpenSSL that night was to contribute bug fixes and improvements to the project. "It was a simple programming error in a new feature, which unfortunately occurred in a security relevant area," he said. But Seggelmann acknowledges that the mistake has led to "severe" consequences.
As The New York Times points out, the entire debacle is a stark reminder of web security's fragile state. The protections around a critical protocol can be undone by a simple mistake, and that slip-up can go unnoticed for years — just as it did here. "It’s unfortunate that it’s used by millions of people, but only very few actually contribute to it," Seggelmann said. "The benefit of open source software is that anyone can review the code in the first place."