[Cryptography] Something that's bothering me about the heartbleed discussion.....

[Peter Trei]

We're all talking about a serious bug in OpenSSL code.

But the bug itself isn't a crypto bug. It's a general programming bug, which
could occur in any server code when the client can say 'send me the first X
bytes of buffer FOO', and the server does that without checking that
X <= length(FOO).

Its a bounds checking bug, which just happened to appear in security related
code.

The same error could occur in many other parts of a server program, with the
same devastating consequences.

Fixing OpenSSL is important. But we need to look at ways of
preventing this kind of bound check error generally. Discussing fixes that
specifically make crypto code more reliable won't catch issues outside of
crypto code.

pt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140417/d83e4e35/attachment.html>