[Nottingham] Heatbleed XKCD

Jason Irwin jasonirwin73 at gmail.com
Mon Apr 14 07:51:31 UTC 2014


On 11/04/14 22:05, Roger Light wrote:
> Yes, it would've saved us here, but the problem from what I've seen is
> a poor attitude in the openssl team. Proper automated testing of this
> crucial *security* project would've found the bug. They don't do that.
> They barely document anything.
The team is just 4 people (12 if you include all volunteers) without
much funding (certainly, there's no sponsor's logos on the openssl.org
site - a perk for funders). Maybe if the some of the companies/people
relying on OpenSSL funded it, things like this would be less likely to
happen. How much did Heartbleed cost? How much could be done with 1% (or
even 0.1%) of that?

AIUI this bug was only found because Google chucked money at them to do
an audit.

Unfortunately I don't think OpenSSL in unique in this regard and whilst
it's no perfect by any means; static code analysis is simple enough to
add into the build system and does catch bone-head mistakes. Although
false positive/negatives are an issue depending on code base and system
used.

-- 
╔═════════════╦══════════════════════════════════════════╗
║ Jason Irwin ║ OpenPGP (GPG/PGP) Public Key: 0xD0C592B1 ║
║             ║ Import from hkp://subkeys.pgp.net        ║
╚═════════════╩══════════════════════════════════════════╝

ps Judging by the emails I have started to get, it's time to start
changing passwords as sites have patched.



More information about the Nottingham mailing list