From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00
	autolearn=unavailable autolearn_force=no version=3.4.4
Path: 
 eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!news.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP>
Newsgroups: comp.lang.ada
Subject: Re: OpenSSL development (Heartbleed)
Date: Tue, 22 Apr 2014 16:57:28 +0000 (UTC)
Organization: A noiseless patient Spider
Message-ID: <lj671n$bj6$1@dont-email.me>
References: <-OGdnezdYpRWFc_OnZ2dnUVZ_vednZ2d@giganews.com>
 <535297f1$0$6715$9b4e6d93@newsspool3.arcor-online.net>
 <op.xekmrhmiule2fv@cardamome>
 <5352a585$0$6707$9b4e6d93@newsspool3.arcor-online.net>
 <lj4ath$c6i$1@loke.gir.dk>
 <535688a0$0$6721$9b4e6d93@newsspool3.arcor-online.net>
 <19mxjybev4fc9.1fkxznem326v8$.dlg@40tude.net>
Injection-Date: Tue, 22 Apr 2014 16:57:28 +0000 (UTC)
Injection-Info: mx05.eternal-september.org;
 posting-host="e458ff8b81bc0c159989eb0e36c6e372";
	logging-data="11878"; mail-complaints-to="abuse@eternal-september.org";
	posting-account="U2FsdGVkX1+DdRJDfOkInp/rhcDMotqCOKyo9omY5WY="
User-Agent: slrn/0.9.8.1 (VMS/Multinet)
Cancel-Lock: sha1:jso1dxhTVF5Y6Vs1IuHUMEQylHE=
Xref: news.eternal-september.org comp.lang.ada:19497
Date: 2014-04-22T16:57:28+00:00
List-Id: <comp.lang.ada>

On 2014-04-22, Dmitry A. Kazakov <mailbox@dmitry-kazakov.de> wrote:
> On Tue, 22 Apr 2014 17:20:13 +0200, G.B. wrote:
>> 
>> Evidence, indeed!
>>   Now given ISO/IEC 27000, a family of standards revolving
>> around security, and Heartbleed, what can anyone do to make
>> standards effecive?
>
> Properly designed standards, maybe? Let me ask a stupid question. What has
> a transport level protocol to do with the application level's servers (and
> clients)? If it really were a strictly transport level, no implementation
> could leak data out of higher levels. Right?
>

No, properly _implemented_ standards are what is required.

Heartbleed came about because a boundary check was missing which allowed
a invalid request to be processed instead of being rejected and, because
of the _implementation_, was allowed access to memory that had nothing to
do with the request.

This was a failure in the implementation of the standard, not a failure
of the standard itself.

Simon.

-- 
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world