On 11/04/14 03:45, d...@geer.org wrote: > > This fragment from the randombit.net crypto list as this perhaps > the clearest "langsec" cue I've yet seen. Perhaps it is time for > a broadside. > > --dan > > ------- Forwarded Message > > Date: Thu, 10 Apr 2014 09:29:52 +1000 > From: "James A. Donald" <jam...@echeque.com> > To: cryptogra...@randombit.net > Subject: Re: [Cryptography] The Heartbleed Bug is a serious vulnerability in > OpenSSL > > On 08/04/14 11:46, ianG wrote: >>> We have here a rare case of a broad break in a security protocol leading >>> to compromise of keys. > > On 2014-04-09 21:53, Alan Braggins wrote: >> Though it's an implementation break, not a protocol break. > > Not exactly. The protocol failed to define a response to nonsensical > records. The bug was that the protocol responded to invalid records > the same way as if they were valid. > > The protocol should have said "a valid record shall satisfy the > following requirements. Invalid records shall be silently discarded > and all actions that depend on them silently terminated."
Actually the protocol *did* specify that: https://tools.ietf.org/html/rfc6520#section-4 # If the payload_length of a received HeartbeatMessage is too large, # the received HeartbeatMessage MUST be discarded silently. -- Daira Hopwood ⚥
signature.asc
Description: OpenPGP digital signature
_______________________________________________ langsec-discuss mailing list langsec-discuss@mail.langsec.org https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
