This fragment from the randombit.net crypto list as this perhaps the clearest "langsec" cue I've yet seen. Perhaps it is time for a broadside.
--dan ------- Forwarded Message Date: Thu, 10 Apr 2014 09:29:52 +1000 From: "James A. Donald" <jam...@echeque.com> To: cryptogra...@randombit.net Subject: Re: [Cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL On 08/04/14 11:46, ianG wrote: >> We have here a rare case of a broad break in a security protocol leading >> to compromise of keys. On 2014-04-09 21:53, Alan Braggins wrote: > Though it's an implementation break, not a protocol break. Not exactly. The protocol failed to define a response to nonsensical records. The bug was that the protocol responded to invalid records the same way as if they were valid. The protocol should have said "a valid record shall satisfy the following requirements. Invalid records shall be silently discarded and all actions that depend on them silently terminated." _______________________________________________ cryptography mailing list cryptogra...@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ------- End of Forwarded Message _______________________________________________ langsec-discuss mailing list langsec-discuss@mail.langsec.org https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
