Close Menu
TechCentralTechCentral

    Subscribe to the newsletter

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    Facebook X (Twitter) YouTube LinkedIn
    WhatsApp Facebook X (Twitter) LinkedIn YouTube
    TechCentralTechCentral
    • News
      How the Post Office plans to rise from the dead - Fathima Gany

      How the Post Office plans to rise from the dead

      17 July 2026
      iOCO snaps up ERP firm as acquisition machine cranks up - Rhys Summerton

      iOCO snaps up ERP firm as acquisition machine cranks up

      17 July 2026
      Meta AI will now tell parents if their teen is in crisis

      Meta AI will now tell parents if their teen is in crisis

      17 July 2026
      Tap to pay is finally coming to the Post Office

      Tap to pay is finally coming to the Post Office

      17 July 2026
      Xi pitches China as the world's AI liberator - Chinese President Xi Jinping waves as he arrives at the opening ceremony of the World AI Conference in Shanghai. Ng Han Guan/Reuters

      Xi pitches China as the world’s AI liberator

      17 July 2026
    • World
      Swingeing jobs cuts at Microsoft's Xbox unit

      Swingeing jobs cuts at Microsoft’s Xbox unit

      6 July 2026

      SK Hynix ends Samsung’s 26-year reign at the top

      22 June 2026
      Google on the hook for what its AI tells users, court rules

      Google on the hook for what its AI tells users, court rules

      15 June 2026
      How Russians juggle VPNs to outwit the Kremlin

      How Russians juggle VPNs to outwit the Kremlin

      15 June 2026
      Amazon CEO flagged Anthropic AI risks to Washington - Andy Jassy

      Amazon CEO flagged Anthropic AI risks to Washington

      14 June 2026
    • In-depth
      AI boom sparks rally, frenzy and fear

      AI boom sparks rally, frenzy and fear

      11 June 2026
      Every plug-in hybrid on sale in South Africa, ranked by price - Lamborghini Temerario

      Every plug-in hybrid on sale in South Africa, ranked by price

      7 June 2026
      What Wi-Fi 8 will mean for wireless networks

      What Wi-Fi 8 will mean for wireless networks

      1 June 2026
      Alfa's electric rebel - Alfa Romeo Junior Elettrica Veloce

      Alfa’s electric rebel

      29 April 2026
      Africa switches on as Europe dims the lights

      Africa switches on as Europe dims the lights

      9 April 2026
    • TCS
      Watts & Wheels S1E7: 'Ferrari's EV breaks the internet'

      Watts & Wheels S1E7: ‘Ferrari’s EV breaks the internet’

      8 July 2026
      TCS+ | How Tracker is turning vehicle data into business strategy - Silvia Schollenberger

      TCS+ | How Tracker is turning vehicle data into business strategy

      1 July 2026
      TCS+ | IBM Bob: an AI-powered 'development partner' for the enterprise - David Spurway

      TCS+ | IBM Bob: an AI-powered development partner for the enterprise

      30 June 2026
      Watts & Wheels S1E6: 'A flawless Alfa and a bakkie that divides'

      Watts & Wheels S1E6: ‘A flawless Alfa and a bakkie that divides’

      17 June 2026
      Watts & Wheels S1E6: 'A flawless Alfa and a bakkie that divides'

      Watts & Wheels S1E5: ‘A Bentley of the bush and a car that swims’

      8 June 2026
    • Opinion
      The author, Fanie van Rooyen

      South Africa can still catch the AI wave – here’s how

      7 July 2026
      The author, Fanie van Rooyen

      The AI utopia South Africa can’t afford

      1 July 2026
      Selling vapour is corporate suicide in slow motion - Jannie van Zyl

      South Africa’s broadband future is being decided in orbit, not in Pretoria

      30 June 2026
      The author, Pambos Soteriades

      The pivot South Africa’s MVNOs cannot afford to miss

      23 June 2026
      Brazil's online gambling crackdown is a lesson for South Africa

      Brazil’s online gambling crackdown is a lesson for South Africa

      22 June 2026
    • Company Hubs
      • 1Stream
      • Africa Data Centres
      • AfriGIS
      • Altron Digital Business
      • Altron Document Solutions
      • Altron Group
      • Arctic Wolf
      • Ascent Technology
      • AvertITD
      • BBD
      • Braintree
      • CallMiner
      • CambriLearn
      • CM Telecom
      • Contactable
      • CYBER1 Solutions
      • Digicloud Africa
      • Digimune
      • Domains.co.za
      • ESET
      • Euphoria Telecom
      • HOSTAFRICA
      • Incredible Business
      • iONLINE
      • IQbusiness
      • Iris Network Systems
      • Kaspersky
      • LSD Open
      • Mitel
      • NEC XON
      • Netstar
      • Network Platforms
      • Next DLP
      • Ovations
      • Paracon
      • Paratus
      • Q-KON
      • SevenC
      • SkyWire
      • Solid8 Technologies
      • Telit Cinterion
      • Telviva
      • Tenable
      • Vertiv
      • Videri Digital
      • Vodacom Business
      • Wipro
      • Workday
      • XLink
    • Sections
      • AI and machine learning
      • Banking
      • Broadcasting and Media
      • Cloud services
      • Contact centres and CX
      • Cryptocurrencies
      • Education and skills
      • Electronics and hardware
      • Energy and sustainability
      • Enterprise software
      • Financial services
      • HealthTech
      • Information security
      • Internet and connectivity
      • Internet of Things
      • Investment
      • IT services
      • Lifestyle
      • Policy and regulation
      • Public sector
      • Retail and e-commerce
      • Satellite communications
      • Science
      • SMEs and start-ups
      • Social media
      • Talent and leadership
      • Telecoms
      • Watts & Wheels
    • Events
    • Advertise
    TechCentralTechCentral
    Home » Opinion » Alistair Fairweather » The tiny bug that broke Internet security

    The tiny bug that broke Internet security

    By Alistair Fairweather14 April 2014
    Twitter LinkedIn Facebook WhatsApp Email Telegram Copy Link
    News Alerts
    WhatsApp

    Alistair-Fairweather-180-profileOn New Year’s Eve in 2011, at one minute before 11pm, a British computer consultant named Stephen Henson finished testing a new version of a popular piece of free security software. With a few keystrokes, he released OpenSSL version 1.0.1 into the public domain. Now, more than two years later, the events of that night have shaken the foundations of the Internet.

    OpenSSL is used as the backbone of online security by hundreds of thousands of websites. One of the most popular features it provides is Transport Layer Security (TLS), which scrambles (encrypts) private communications. When you’re checking your bank account or your Web mail and you see that green padlock in your browser’s address bar, you’re using TLS.

    This encryption is necessary because without it, hackers and governments could easily intercept and read all the data passed around the Internet. Think of TLS as a system of armoured cars that securely transport your data across the public Internet between secure locations — from you own computer to your bank’s servers, for example.

    What Stephen Henson didn’t realise when he released the new version is that he missed a tiny bug in a new feature called Heartbeat. This feature, written by a German graduate student named Robin Seggelmann, had the best of intentions. As we all know, Internet traffic is not 100% reliable. Quite a lot of effort goes into simply checking whether the computer on the other end of the line is still connected and “listening” to what your computer is sending.

    Heartbeat makes this process quicker by eliminating the need for lengthy security checks, called renegotiations, every time the connection needs to be tested. It allows one computer to ask the other to repeat a word to test if it is still connected — a bit like the guards in the armoured car saying “copy” at the end of every two-way radio transmission.

    Unfortunately, both Seggelmann and Henson missed the fact that this check can be abused to trick the listening computer into replying with up to 64 000 characters of data directly from its memory. The asking computer simply lies about the length of the word it is sending (cat is 64 000 letters long), and the replying computer doesn’t bother to check — it just spits the data out of its memory.

    And here’s where it gets really ugly. That data can contain literally anything loaded into memory, including passwords, e-mail addresses and encryption keys. Instead of attacking the armoured car, the hackers now have a secret back door into the warehouse and the codes to the safe.

    So, the thousands of online services that use OpenSSL — such as Facebook, Gmail, Yahoo and Pinterest — have potentially become a goldmine for hackers for more than two years. Many cellphones running newer versions of Android are also vulnerable. All of these services are urging users to change their passwords as soon as possible. If you’re not sure, change your password anyway.

    The bug, evocatively named Heartbleed, has both the technology community and many ordinary users in uproar. Cries of “How could this be allowed to happen?” and “Someone needs to be held responsible!” are echoing around the Internet.

    You might expect OpenSSL to fire Seggelmann and Henson, except that they are volunteers and gave their time to the project for free. The “open” part of its name signals that the software is completely open source — it is created, improved and maintained by a global community of software developers, most of whom work for free. Much of the infrastructure of the Internet, from databases to Web servers, is built on the same model.

    heartbleed-640
    The Heartbleed bug has both the technology community and many ordinary users in uproar, says the writer

    This fact has led many people to criticise the entire open-source movement. They decry its “lack of professionalism” and its “buggy code”. But many of the people complaining have happily built enormously profitable businesses on top of OpenSSL without once contributing to the project.

    In fact, the OpenSSL Foundation, the organisation responsible for the software, has only five permanent members and less than a dozen major contributors, scattered around the globe. It received a piffling US$2 000 in donations last year, and keeps the lights on by consulting to large corporations and government departments.

    The development community has coalesced into two camps — those who feel empathy and forgiveness for the OpenSSL team, and those filled with righteous indignation at what they see as an egregious lapse. But, flawed or not, many will continue using OpenSSL. To rewrite it from scratch, by some estimates, would be a three-year job for a team of 25 developers, with a cost of over $15m.

    Regardless of the current panic and finger-pointing, Heartbleed has revealed a fundamental truth about the Internet: some very important parts of its guts rely on goodwill and community spirit. We should not take that for granted. It’s easy to blame, but it’s far more productive to help.  — (c) 2014 Mail & Guardian

    • Alistair Fairweather is chief technology officer at the Mail & Guardian
    • Visit the Mail & Guardian Online, the smart news source
    Follow TechCentral on Google News Add TechCentral as your preferred source on Google


    Alistair Fairweather Heartbleed OpenSSL Robin Seggelmann Stephen Henson
    WhatsApp YouTube
    Share. Facebook Twitter LinkedIn WhatsApp Telegram Email Copy Link
    Previous ArticleJSE gets a makeover
    Next Article Future imperfect for Samsung

    Related Posts

    FNB backs down on password decision after backlash

    20 August 2019

    FNB’s new password policy makes its customers less secure

    20 August 2019

    Where to next for smartphones

    4 April 2017
    Company News
    Paratus again voted Namibia's most reliable internet provider

    Paratus again voted Namibia’s most reliable internet provider

    17 July 2026
    Core opens Microsoft Surface reseller programme to South African SMEs - John Press

    Core opens Microsoft Surface reseller programme to South African SMEs

    17 July 2026
    The economy the statistics miss is thriving on Spondo Street - Lesaka Technologies Lincoln Mali

    The economy the statistics miss is thriving on Spondo Street

    16 July 2026
    Opinion
    The author, Fanie van Rooyen

    South Africa can still catch the AI wave – here’s how

    7 July 2026
    The author, Fanie van Rooyen

    The AI utopia South Africa can’t afford

    1 July 2026
    Selling vapour is corporate suicide in slow motion - Jannie van Zyl

    South Africa’s broadband future is being decided in orbit, not in Pretoria

    30 June 2026

    Subscribe to Updates

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    Latest Posts
    How the Post Office plans to rise from the dead - Fathima Gany

    How the Post Office plans to rise from the dead

    17 July 2026
    iOCO snaps up ERP firm as acquisition machine cranks up - Rhys Summerton

    iOCO snaps up ERP firm as acquisition machine cranks up

    17 July 2026
    Meta AI will now tell parents if their teen is in crisis

    Meta AI will now tell parents if their teen is in crisis

    17 July 2026
    Tap to pay is finally coming to the Post Office

    Tap to pay is finally coming to the Post Office

    17 July 2026
    © 2009 - 2026 NewsCentral Media
    Built and maintained by Chronon
    • Cookie policy (ZA)
    • TechCentral – privacy and Popia

    Type above and press Enter to search. Press Esc to cancel.

    Manage consent

    TechCentral uses cookies to enhance its offerings. Consenting to these technologies allows us to serve you better. Not consenting or withdrawing consent may adversely affect certain features and functions of the website.

    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    • Manage options
    • Manage services
    • Manage {vendor_count} vendors
    • Read more about these purposes
    View preferences
    • {title}
    • {title}
    • {title}