[Cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
Caspar Bowden (lists)
lists at casparbowden.net
Fri Apr 11 06:48:41 EDT 2014
On 09/04/14 02:22, Jerry Leichter wrote:
> On Apr 8, 2014, at 1:12 PM, Jonathan Thornburg <jthorn at astro.indiana.edu> wrote:
>>> E.g., if we cannot show any damages from this breach, it isn't worth
>>> spending a penny on it to fix!
>> This analysis appears to say that it's not worth spending money to
>> fix a hole (bug) unless either money has already been spent or damages
>> have *already* occured. This ignores possible or probable (or even
>> certain!) *future* damages if no rework has yet happened.
> You're misreading what Iang wrote. To say one should not fix a *potential problem that hasn't yet occurred* because we can't prove it's caused any losses yet is absurd. Before the problem actually occurs, all we have to go on is our estimates of the possible cost, and we have to anticipate those costs.
>
> However, in the case of a problem that *has actually occurred*, if you *still* can't show any loses - then you have to seriously ask whether the problem is worth fixing, or whether it isn't really a "problem" at all.
Is it just me, or is the HeartBleedin' obvious fallacy here, that TLA
adversaries use exploits in ways that won't necessarily (and in fact are
unlikely to) show material losses?
Caspar Bowden
More information about the cryptography
mailing list