Skip to content
Subscriber Only
Opinion
Leonid Bershidsky

Heartbleed's Password Heartbreak

The world of open source software runs on passion and selflessness, but these are relatively rare qualities, and the resulting lack of resources makes bugs like Heartbleed possible.
Open Source passion doesn't stretch to drudgery of making code safe. Photographer: Ben Torres/Bloomberg
Open Source passion doesn't stretch to drudgery of making code safe. Photographer: Ben Torres/Bloomberg

Now that you've changed all your passwords (I did) in the wake of the discovery of a coding error in OpenSSL, the widely-used software for the secure transmission of data, it's time to think about why the "Heartbleed bug" made it into the code and sat there undetected for two years. The problem can be fixed with a wake-up call and a bit of money.

The bug, which allowed hackers to capture passwords and other personal information, was the handiwork of German programmer Robin Seggelmann, who says it was an honest, "trivial" mistake. The reviewer, Englishman Stephen Henson, one of a "core team" of enthusiasts supporting the OpenSSL library, missed it. And that was it: We don't know how whether anyone exploited the vulnerability the two men created, but then hackers certainly wouldn't tell us if they did.