From: Natasha Kerensikova <lithiumcat@instinctive.eu>
Subject: Re: OpenSSL development (Heartbleed)
Date: Wed, 23 Apr 2014 05:38:21 +0000 (UTC)
Date: 2014-04-23T05:38:21+00:00 [thread overview]
Message-ID: <slrnlleked.i0l.lithiumcat@nat.rebma.instinctive.eu> (raw)
In-Reply-To: 1ottu3pw9hxl1.i1h7v3r51vk0.dlg@40tude.net
On 2014-04-22, Dmitry A. Kazakov <mailbox@dmitry-kazakov.de> wrote:
> On Tue, 22 Apr 2014 16:57:28 +0000 (UTC), Simon Clubley wrote:
>> No, properly _implemented_ standards are what is required.
>>
>> Heartbleed came about because a boundary check was missing which allowed
>> a invalid request to be processed instead of being rejected and, because
>> of the _implementation_, was allowed access to memory that had nothing to
>> do with the request.
>>
>> This was a failure in the implementation of the standard, not a failure
>> of the standard itself.
>
> Boundary checks or not, the transport layer shall have no access to the
> server data.
>
> A tightly coupled system is vulnerable. If compromising just one component
> opens all gates wide, that is a bad standard and bad design. The effects of
> errors and faults must be bounded per design.
How would you design a transport layer that has no access to whatever is
supposed to be transported?
"Heartbleed" didn't leak any data that ins't legitimataly needed by
OpenSSL (i.e. transported data and/or transport parameters (like keys))
next prev parent reply other threads:[~2014-04-23 5:38 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-19 14:31 OpenSSL development (Heartbleed) Alan Browne
2014-04-19 15:06 ` Nasser M. Abbasi
2014-04-19 15:41 ` Alan Browne
2014-04-19 15:36 ` Georg Bauhaus
2014-04-19 16:00 ` Yannick Duchêne (Hibou57)
2014-04-19 16:34 ` Georg Bauhaus
2014-04-19 17:06 ` Yannick Duchêne (Hibou57)
2014-04-19 19:13 ` Georg Bauhaus
2014-04-19 20:39 ` Yannick Duchêne (Hibou57)
2014-04-19 19:42 ` Alan Browne
2014-04-21 23:51 ` Randy Brukardt
2014-04-22 15:20 ` G.B.
2014-04-22 16:33 ` Dmitry A. Kazakov
2014-04-22 16:57 ` Simon Clubley
2014-04-22 19:53 ` Dmitry A. Kazakov
2014-04-22 20:49 ` Yannick Duchêne (Hibou57)
2014-04-23 5:38 ` Natasha Kerensikova [this message]
2014-04-23 7:30 ` Dmitry A. Kazakov
2014-04-23 7:40 ` Natasha Kerensikova
2014-04-23 8:04 ` Dmitry A. Kazakov
2014-04-23 8:20 ` Georg Bauhaus
2014-04-23 7:42 ` Egil H H
2014-04-23 8:06 ` Georg Bauhaus
2014-04-19 16:06 ` Alan Browne
2014-04-19 16:42 ` Georg Bauhaus
2014-04-19 16:59 ` Georg Bauhaus
2014-04-19 19:12 ` Alan Browne
2014-04-19 20:20 ` Georg Bauhaus
2014-04-19 20:53 ` Alan Browne
2014-04-19 21:10 ` [OT] OpenBSD, was: " Simon Clubley
2014-04-19 21:53 ` Alan Browne
2014-04-19 22:15 ` Nasser M. Abbasi
2014-04-19 22:34 ` Alan Browne
2014-04-20 8:17 ` Georg Bauhaus
2014-04-20 16:49 ` Alan Browne
2014-04-22 12:18 ` G.B.
2014-04-19 15:47 ` Yannick Duchêne (Hibou57)
2014-04-19 16:21 ` Alan Browne
2014-04-19 16:46 ` Georg Bauhaus
2014-04-19 19:22 ` Alan Browne
2014-04-19 20:33 ` Georg Bauhaus
2014-04-19 21:10 ` Alan Browne
2014-04-19 16:50 ` Yannick Duchêne (Hibou57)
2014-04-19 19:25 ` Alan Browne
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox