[Cryptography] Something that's bothering me about the heartbleed discussion.....
Bill Stewart
billstewart at pobox.com
Fri Apr 18 19:12:57 EDT 2014
>>So it's not just OpenSSL. It's every bit of code that *uses*
>>OpenSSL, and every bit of code the *uses* the code that *uses* OpenSSL.
>>I think you may have missed my point. This style of security hole
>>could exist in server programs which don't use OpenSSL; indeed,
>>which don't use crypto at all.
>Oh, I got that. I used OpenSSL as an example.
OpenSSL is an especially pernicious example, though,
because it's a library used for writing server programs,
rather than just a server program,
and because it's intended to do the difficult security bits,
so people who aren't security experts can get secure servers,
and because security libraries protect the stuff you care most about,
unlike, say, a bad streaming media server.
More information about the cryptography
mailing list