[Nottingham] Heatbleed XKCD
Jason Irwin
jasonirwin73 at gmail.com
Mon Apr 14 07:51:31 UTC 2014
On 11/04/14 22:05, Roger Light wrote:
> Yes, it would've saved us here, but the problem from what I've seen is
> a poor attitude in the openssl team. Proper automated testing of this
> crucial *security* project would've found the bug. They don't do that.
> They barely document anything.
The team is just 4 people (12 if you include all volunteers) without
much funding (certainly, there's no sponsor's logos on the openssl.org
site - a perk for funders). Maybe if the some of the companies/people
relying on OpenSSL funded it, things like this would be less likely to
happen. How much did Heartbleed cost? How much could be done with 1% (or
even 0.1%) of that?
AIUI this bug was only found because Google chucked money at them to do
an audit.
Unfortunately I don't think OpenSSL in unique in this regard and whilst
it's no perfect by any means; static code analysis is simple enough to
add into the build system and does catch bone-head mistakes. Although
false positive/negatives are an issue depending on code base and system
used.
--
╔═════════════╦══════════════════════════════════════════╗
║ Jason Irwin ║ OpenPGP (GPG/PGP) Public Key: 0xD0C592B1 ║
║ ║ Import from hkp://subkeys.pgp.net ║
╚═════════════╩══════════════════════════════════════════╝
ps Judging by the emails I have started to get, it's time to start
changing passwords as sites have patched.
More information about the Nottingham
mailing list