[Cryptography] It's all K&R's fault (was: bounded pointers in C)

[Jon Callas]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

And it is, too, and others have said the sorts of things I would say about what an abomination of a language C is. But so what? You *can* use it reasonably, especially with any of a number of supplemental libraries do things like give you reasonable strings, buffers, and so on. The people on the other side of the tale are also right.

However, this whole conversation is mostly irrelevant to the actual issue. Here is a case in point from my own present experience.

One of the subsystems I use is a network server written in Erlang, which is a language that would meet many people's gross requirements for a better language than C.

Nonetheless, this Erlang server ended up needing to be updated for Heartbleed, because this system does SSL by using OpenSSL. Meow.

In contrast, we have another server which is written in C and pretty grody in a lot of ways. But it uses a *different* SSL package and therefore had no issues with Heartbleed. Meow. Other subsystems we use use yet other SSL packages (for example, Secure Transport on iOS), which each have their own issues.

Yeah, sure, C is an abomination. But much of its abominableness can be mitigated with static analyzers etc. Beyond that, unless you rewrite the entire stack you're on, from the OS up, you're very likely still using C even when you're not using C.

	Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii

wj8DBQFTUYSgsTedWZOD3gYRAoNPAKCSLLpGaUKD8Pl0CkWAwnnaI42FggCfZJrk
f9oLrszsWQ7bMCwLMBVsjxY=
=s+ng
-----END PGP SIGNATURE-----