[Cryptography] Because one TLS bug per month is just not enough

[Jerry Leichter]

On Apr 28, 2014, at 4:54 AM, Ben Laurie <ben at links.org> wrote:
>> This one appears to affect Apple OS/X and iOS but it
>> wouldn't surprise me if other implementations have the
>> same issue. Fortunately according to Green, this will have
>> much less impact to security than did Heartbleed because
>> it only affects seldom used use cases of TLS.
> 
> FWIW, this bug was described at IETF in March. The site is dated March
> 4th. That is, it is nearly 2 months old.
> 
> As Matthew says, branding is key.
> 
> Also, BTW, it doesn't affect many people: use of client certs is
> almost non-existent.
One of the most interesting things here is the huge change in Apple's approach to security problems.  Apple has a long history of taking their time about producing and distributing security patches.  But in this case, they are out in front of the pack:  As of a couple of minutes ago, a search on "ssl triple handshake patch" found no references to a fix from anyone but Apple.

Whatever the reason for Apple deciding to push things out so quickly this time, it's good for the industry (not to mention Apple customers) that they did.  We'll see if they continue on this new path.  If they've decide to make security, actually implemented well, part of their sales pitch, we might see real pressure on others to do the same.  (Yes, I know, Microsoft turned really serious about security a number of years back - but they have yet to escape their horrible reputation from Win2K/WinXP days.)

                                                        -- Jerry