Heartbleed: How it was introduced, How it was fixed, and What's Vulnerable?

The Register has an excellent writeup on how Heartbleed was introduced into OpenSSL.

After doing some digging on OpenSSL's GIT repository, I was able to identify the commits which introduced, as well as fixed, this bug.

The bug was originally introduced into OpenSSL's source code on Dec 31, 2011.  According to the diff, the heartbeat code was provided by Robin Seggelmann. Robin has already stated that the error was "trivial", but clearly the error had far-reaching consequences.

The bug was fixed with only a few lines of code, as you can see from this commit from April 5, 2014.

On a side note, Robin was also one of the contributors to RFC 6520, which described the TLS heartbeat extension.

If you'd like to see the Heartbleed vulnerability status of popular websites, visit the Github page which is tracking the status of Heartbleed patching.

No comments:

Post a Comment