The Swiss Army Knife of Cybersecurity: OpenSSL
The Program Which Jumped From Version 1 to Version 3
When I was an electrical engineer, my standard tester was my trusty DVM (Digital Voltmeter). But, in Cybersecurity, my trusted tester is one little program that never grew up but which often provides the foundation of security on the Internet … OpenSSL.
The program that caused Heartbleed
It all started with Eric A Young and Tim Hudson, in Dec 1998, and who created the first version of OpenSSL (it was known as SSLeay — SSL Eric A Young). It has since become the program that caused HeartBleed and which generated a lot of other serious bugs.
Eric finished his research and was involved with Cryptsoft (www.cryptsoft.com) before joining RSA Security as a Distinguished Engineer. After Eric left, it was then left to Steve Marquess (from the US) and Stephen Henson (from the UK) to continue its development through the OpenSSL Software Foundation (OSF). The code continued to grow with TLS support added to 1.0.1a on 14 March 2012. Unfortunately, a bug appeared on 1 Jan 2012 which implemented the Heartbeat protocol (RFC 6520), and which ended up resulting in Heartbleed (Figure 1). The bug was actually introduced by the same person who wrote the RFC — Robin Seggleman, a German developer. If you…
