<= Archives =>
The sad facts (a short history of heartbleed)
2014/04/28 15:39:25 CEST

Here are verifiable facts about Heartbleed.

RFC 6520 was standardized in two years and a half. The Heartbeat fonctionality was integrated into OpenSSL sixteen days after the patch was submitted.

The person who provided the patches to enable the Heartbeat functionality in OpenSSL is one of the authors of RFC 6520. This is Robin Seggelmann.

The possibility of the Heartbeat RFC enabling a covert channel was mentioned twice, publicly, on the IETF tls mailling list, on January 27, 2011 and on December 06, 2011. This spawned little to no reaction. The authors could not have been unaware of this risk, they were told.

Seggelmann made a coding mistake that enabled the covert channel.

This mistake was left unseen because the OpenSSL library uses its own memory allocator, and that layer failed at detecting this bug, as Ted Unangst demonstrated in two posts.

There are many, many lessons to learn out of this.

Tags security heartbleed