Em 11-04-2014 08:54, Sascha Mester escreveu:
> There is no really good reason why security-relating problems should be a
> secret - acceptable reasons for this behaviour never existed. The most
> harmful behaviour I have ever seen since I browse the web. 

    Imagine if this bug was found by someone that wanted nothing else
than cause havoc. They would go and take all the private keys of all the
big sites there were vulnerable and just post them online. And, the
worst part, people wouldn't have a clue where they got the keys. Bugs
like these have a serious impact on the peoples lives, even if they
don't use a computer. Lots of banks were affected by this bug, I can
assure you.

    If there is no responsible disclosure, giving vendors time to patch
things beforehand, then there would be no internet. Things would be too
chaotic for the average user, that then would simply not use it. Of
course I'm against people sitting on bugs and not solving them because
it's overly "complicated", or it would require "major changes". These
kind of people inevitably ends up having their faces blown up. I really
hope that this specific OpenSSL bug, that affected so many, prompt the
developers of it to do a thrill code audition and hopefully, catching
and solving a lot more bugs in the process. From what I saw in their
development mail list, things aren't moving in that direction, but this
could change in the near future.

    At least, they should completely eliminate their own "memory
management", and let the operating system do what it was made to do.


Giancarlo Razzolini
GPG: 4096R/77B981BC

Reply via email to