On Fri, Apr 11, 2014 at 03:07:09PM +0200, [email protected] wrote: > > Message du 11/04/14 05:44 > > De : [email protected] > > > It makes me wonder if the NSA was involved in inserting this bug into > > > OpenSSL clients and servers. > > > > If they did it, someone got a promotion. If they are as surprised > > as you are, someone got fired. > > > > In the meantime, tell me that gcc is so compact and well vetted that > > there is no room in it for insertions... > > > > This article makes an interesting point, we got to dig a bit more from our > pockets: > > http://www.wired.com/2014/04/heartbleedslesson/ > > The second point I wish to make is the surprise by which the original > developer took the issue. Maybe, just maybe, he did not create that flaw at > all. > > It could have been inserted into the OpenSSL repository through a backdoor > ... or why would the spies by so interested in hacking professors that deal > with crypto and whose word is trusted by the masses? Like they did to a > Belgian cryptographer? Was that fellow nerd a turrist of sorts? > > It may be possible that Segelmann did his job correctly, that the reviewer > did his job correctly, but someone unknown may have changed it just a little > bit before delivery. > > > Besides funding projects like OpenSSL better, we should start considering the > security of the repositories themselves. > > What ya fellow coders think?
I certainly don't trust repositories ;) btw, I think this heartbleed story is exaggerated. If it were code execution it would have been much worse. browser vendors fix _a lot_ of "unspecified memory hazards" every few months. IMO getting owned by a browser bug is much more likely than by heartbleed. Is there a significant rise of revoked certs caused by HB paranoia?
