on
Italy
- Get link
- X
- Other Apps
Ben Grubb
Google engineer Neel Mehta found the Heartbleed bug.
The media-shy Google engineer who found the Heartbleed computer security vulnerability
has spoken out for the first time, revealing how he found the serious
bug, why he went looking for it in the first place, and his predictions
on whether something like it will be found again.
Speaking with Australian IT security podcast Risky.biz more than six months after Heartbleed was disclosed publicly on April 7, Google's Neel Mehta said he found the bug after conducting a "laborious" source code review of the open source software that contained it, OpenSSL.
"Source code" is the computer code which makes software run, while "open source software" is a type of software which is made freely available by volunteers and is usually able to be redistributed and modified.
"I was doing laborious auditing of OpenSSL, going through the [Secure Sockets Layer] stack line by line," Mehta said, adding that he hadn't spoken about it until now because it made him "nervous".
Mehta said the "main reason" he went looking through the SSL stack was because of some of the other encryption bugs found earlier this year, including the GoToFail security bug, found in February, and the GnuTLS bug, found in March.
"You sort of sense that the discovery of flaws in SSL stacks is accelerating and so I was curious about [what] the current state of security was with regards to SSL stacks and I went and took a look..."
Mehta said he didn't expect the huge reaction the bug received from the mainstream media, but said a logo made by a security firm who also discovered the bug at about the same time he did helped it gain traction.
"I was a little surprised by the reaction," he said.
"I think a lot of that had to do with a lot of the marketing around the bug that [security firm] Codenomicon did. A logo and a great name goes a long way; I mean I didn't have any of those."
He said he was also "a little bit less enthusiastic" about how serious of a bug Heartbleed was compared to other peoples' hyperbolic claims, and questioned reports from Bloomberg that spies had found the bug before him and utilised it for nefarious purposes.
"I don't know if we'll ever know," he said, adding that he personally thought it was an "unlikely" scenario.
"But I don't think that we have all the facts to see either way," he said. "I have a little bit of harder time believing that [Bloomberg] article today than I did back [when I discovered the bug]."
Mehta also believes the latest pervasive bug to hit the web, Shellshock, was worse than Heartbleed. That bug was found by Stephane Chazelas, an open source software developer.
"... The [Shellshock] bug itself is very serious and I think it's more serious than Heartbleed," Mehta said.
"But it depends on again what information you're trying to guard, what you consider valuable."
Mehta didn't know why the Heartbleed bug took so long to be found – it existed for more than two years before being discovered and patched – but thought it was because of increased scrutiny of encryption software.
"I think we sort of reached critical mass in bugs in SSL [earlier this year]. So at some point earlier this year there were a bunch of bugs found and people are beginning to find more and more," he said.
"[That's] because it matters more and it's all in context of the use of encryption on the net today [being] much more important than it was a year ago."
Encryption has become more important in the past year following revelations by former US National Security Agency contractor Edward Snowden revealing the extent of spying by the agency.
In one case it was revealed the NSA intercepted and collected data not encrypted properly between Google data centres.
Mehta said the reason Shellshock and Heartbleed were such pervasive bugs was because the software the bugs existed in – Bash and OpenSSL – were used by hundreds of millions of devices globally.
He suspected other software – which he described as software "that glue other things together" – would likely also have bugs that have gone unnoticed for years.
He nominated Zlib, a compression library found in many pieces of software, and libjpeg, a widely used C library for reading and writing JPEG image files, as potentially containing similar bugs.
"I think we're going to see more bugs like this and … simply it's a product of software changes, new things [that] are introduced. Every change is an opportunity to make a mistake...," Mehta said.
A bug in libjpeg would "have tremendous impact", he said.
On April 11, Fairfax Media revealed how German software developer Robin Seggelmann accidentally introduced the Heartbleed bug into OpenSSL.
Speaking with Australian IT security podcast Risky.biz more than six months after Heartbleed was disclosed publicly on April 7, Google's Neel Mehta said he found the bug after conducting a "laborious" source code review of the open source software that contained it, OpenSSL.
"Source code" is the computer code which makes software run, while "open source software" is a type of software which is made freely available by volunteers and is usually able to be redistributed and modified.
"I was doing laborious auditing of OpenSSL, going through the [Secure Sockets Layer] stack line by line," Mehta said, adding that he hadn't spoken about it until now because it made him "nervous".
Advertisement
SSL
is an encryption protocol used to encrypt traffic between a website and
its user. The bug he found allowed him, and potentially hackers, to
extract highly personal information about web users from servers using
OpenSSL.Mehta said the "main reason" he went looking through the SSL stack was because of some of the other encryption bugs found earlier this year, including the GoToFail security bug, found in February, and the GnuTLS bug, found in March.
"You sort of sense that the discovery of flaws in SSL stacks is accelerating and so I was curious about [what] the current state of security was with regards to SSL stacks and I went and took a look..."
Mehta said he didn't expect the huge reaction the bug received from the mainstream media, but said a logo made by a security firm who also discovered the bug at about the same time he did helped it gain traction.
"I was a little surprised by the reaction," he said.
"I think a lot of that had to do with a lot of the marketing around the bug that [security firm] Codenomicon did. A logo and a great name goes a long way; I mean I didn't have any of those."
He said he was also "a little bit less enthusiastic" about how serious of a bug Heartbleed was compared to other peoples' hyperbolic claims, and questioned reports from Bloomberg that spies had found the bug before him and utilised it for nefarious purposes.
"I don't know if we'll ever know," he said, adding that he personally thought it was an "unlikely" scenario.
"But I don't think that we have all the facts to see either way," he said. "I have a little bit of harder time believing that [Bloomberg] article today than I did back [when I discovered the bug]."
Mehta also believes the latest pervasive bug to hit the web, Shellshock, was worse than Heartbleed. That bug was found by Stephane Chazelas, an open source software developer.
"... The [Shellshock] bug itself is very serious and I think it's more serious than Heartbleed," Mehta said.
"But it depends on again what information you're trying to guard, what you consider valuable."
Mehta didn't know why the Heartbleed bug took so long to be found – it existed for more than two years before being discovered and patched – but thought it was because of increased scrutiny of encryption software.
"I think we sort of reached critical mass in bugs in SSL [earlier this year]. So at some point earlier this year there were a bunch of bugs found and people are beginning to find more and more," he said.
"[That's] because it matters more and it's all in context of the use of encryption on the net today [being] much more important than it was a year ago."
Encryption has become more important in the past year following revelations by former US National Security Agency contractor Edward Snowden revealing the extent of spying by the agency.
In one case it was revealed the NSA intercepted and collected data not encrypted properly between Google data centres.
Mehta said the reason Shellshock and Heartbleed were such pervasive bugs was because the software the bugs existed in – Bash and OpenSSL – were used by hundreds of millions of devices globally.
He suspected other software – which he described as software "that glue other things together" – would likely also have bugs that have gone unnoticed for years.
He nominated Zlib, a compression library found in many pieces of software, and libjpeg, a widely used C library for reading and writing JPEG image files, as potentially containing similar bugs.
"I think we're going to see more bugs like this and … simply it's a product of software changes, new things [that] are introduced. Every change is an opportunity to make a mistake...," Mehta said.
A bug in libjpeg would "have tremendous impact", he said.
On April 11, Fairfax Media revealed how German software developer Robin Seggelmann accidentally introduced the Heartbleed bug into OpenSSL.