From: "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de>
Subject: Re: OpenSSL development (Heartbleed)
Date: Wed, 23 Apr 2014 09:30:08 +0200
Date: 2014-04-23T09:30:08+02:00 [thread overview]
Message-ID: <6xpjk44lobfz.fctt93m75u47$.dlg@40tude.net> (raw)
In-Reply-To: slrnlleked.i0l.lithiumcat@nat.rebma.instinctive.eu
On Wed, 23 Apr 2014 05:38:21 +0000 (UTC), Natasha Kerensikova wrote:
> On 2014-04-22, Dmitry A. Kazakov <mailbox@dmitry-kazakov.de> wrote:
>> On Tue, 22 Apr 2014 16:57:28 +0000 (UTC), Simon Clubley wrote:
>>> No, properly _implemented_ standards are what is required.
>>>
>>> Heartbleed came about because a boundary check was missing which allowed
>>> a invalid request to be processed instead of being rejected and, because
>>> of the _implementation_, was allowed access to memory that had nothing to
>>> do with the request.
>>>
>>> This was a failure in the implementation of the standard, not a failure
>>> of the standard itself.
>>
>> Boundary checks or not, the transport layer shall have no access to the
>> server data.
>>
>> A tightly coupled system is vulnerable. If compromising just one component
>> opens all gates wide, that is a bad standard and bad design. The effects of
>> errors and faults must be bounded per design.
>
> How would you design a transport layer that has no access to whatever is
> supposed to be transported?
>
> "Heartbleed" didn't leak any data that ins't legitimataly needed by
> OpenSSL (i.e. transported data and/or transport parameters (like keys))
I heard it leaked user data, I didn't go into details. I hope user data are
not transported, because otherwise that would be even an greater design
fault.
--
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de
next prev parent reply other threads:[~2014-04-23 7:30 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-19 14:31 OpenSSL development (Heartbleed) Alan Browne
2014-04-19 15:06 ` Nasser M. Abbasi
2014-04-19 15:41 ` Alan Browne
2014-04-19 15:36 ` Georg Bauhaus
2014-04-19 16:00 ` Yannick Duchêne (Hibou57)
2014-04-19 16:34 ` Georg Bauhaus
2014-04-19 17:06 ` Yannick Duchêne (Hibou57)
2014-04-19 19:13 ` Georg Bauhaus
2014-04-19 20:39 ` Yannick Duchêne (Hibou57)
2014-04-19 19:42 ` Alan Browne
2014-04-21 23:51 ` Randy Brukardt
2014-04-22 15:20 ` G.B.
2014-04-22 16:33 ` Dmitry A. Kazakov
2014-04-22 16:57 ` Simon Clubley
2014-04-22 19:53 ` Dmitry A. Kazakov
2014-04-22 20:49 ` Yannick Duchêne (Hibou57)
2014-04-23 5:38 ` Natasha Kerensikova
2014-04-23 7:30 ` Dmitry A. Kazakov [this message]
2014-04-23 7:40 ` Natasha Kerensikova
2014-04-23 8:04 ` Dmitry A. Kazakov
2014-04-23 8:20 ` Georg Bauhaus
2014-04-23 7:42 ` Egil H H
2014-04-23 8:06 ` Georg Bauhaus
2014-04-19 16:06 ` Alan Browne
2014-04-19 16:42 ` Georg Bauhaus
2014-04-19 16:59 ` Georg Bauhaus
2014-04-19 19:12 ` Alan Browne
2014-04-19 20:20 ` Georg Bauhaus
2014-04-19 20:53 ` Alan Browne
2014-04-19 21:10 ` [OT] OpenBSD, was: " Simon Clubley
2014-04-19 21:53 ` Alan Browne
2014-04-19 22:15 ` Nasser M. Abbasi
2014-04-19 22:34 ` Alan Browne
2014-04-20 8:17 ` Georg Bauhaus
2014-04-20 16:49 ` Alan Browne
2014-04-22 12:18 ` G.B.
2014-04-19 15:47 ` Yannick Duchêne (Hibou57)
2014-04-19 16:21 ` Alan Browne
2014-04-19 16:46 ` Georg Bauhaus
2014-04-19 19:22 ` Alan Browne
2014-04-19 20:33 ` Georg Bauhaus
2014-04-19 21:10 ` Alan Browne
2014-04-19 16:50 ` Yannick Duchêne (Hibou57)
2014-04-19 19:25 ` Alan Browne
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox