There should have been little doubt that once the Heartbleed bug was realized, one of the first things the public was going to do was go on a witch hunt for the person or people responsible. As it were, Mr. Robin Seggelmann of Münster in Germany says that he was only aiming to improve OpenSSL, and all allegations that he may have introduced the bug on purpose are false.
Instead, believe it or not, a flaw like Heartbleed only needed two people to miss it before it was introduced into the wild. Seggelmann wrote a piece of code for OpenSSL, a single reviewer didn’t catch it, and it was a done deal.
According to Seggelmann, the missing bit of validation that made Heartbleed possible was missed by him then missed by the reviewer. Once this happened, the error went from the development branch into the released version of OpenSSL and out to millions of webpages over the past two years.
It was only “a simple programming error,” said Seggelmann, that just happened to have “unfortunately occurred in a security relevant area.” Seggelmann also suggests that “it was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”
Have a peek at our Heartbleed coverage over the past couple of days and make certain you’re not jumping in on any still-vulnerable sites – it doesn’t cost you to check and re-check. Like NSA-spying, it’s relatively unlikely that you’re being targeted at any given point unless you’re very, very unlucky, but don’t chance it!