Write or find an embeddable TLS implementation that somehow manages to be simple, safe by design, auditable, and interoperable.
Node has very little to do with the kinds of issues that resulted in Heartbleed beyond depending on OpenSSL. As the recent vulnerabilities in OpenSSL, GnuTLS, and BSAFE/C show, even multiple large-scale audits can't catch all / most simple programming errors (or attempts by intelligence agencies to pull a fast one, I guess). This is a problem that is much larger than Node, or even our community. F On Thursday, April 10, 2014, Aria Stewart <[email protected]> wrote: > > On Apr 10, 02014, at 11:01, Brad Carleton <[email protected]<javascript:;>> > wrote: > > > It's pretty much luck that most versions of Node seem to be unaffected > by heartbleed. But what is being done or what can be done to prevent a > similar vulnerability in the future? > > Code review, paid audits, release agility, simple interfaces, don't hide > outside-visible details underneath the API surface, move things into > languages where bounds-checking is the norm. > > > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
