[Cryptography] Would open source solve current security issues? (was "Re: EFF amicus brief in support of Apple")

Jonathan Katz jkatz at cs.umd.edu
Fri Mar 18 06:33:42 EDT 2016


On Thu, Mar 17, 2016 at 8:10 PM, ianG <iang at iang.org> wrote:
> On 10/03/2016 11:28 am, Jerry Leichter wrote:
>>
>>
>> Of course, there are always the high-priority emergency patches - e.g.,
>> Heartbleed.  Recently, these have been reported to the software vendors
>> privately and coordinated announcements and releases of patches have been
>> standard.  In this case, the delays were all "up front", before the
>> announcement - and the differences between open and closed source have
>> *largely* been nil.  (Apple delayed on shipping a Heartbleed patch - but
>> then it was pretty much irrelevant to the vast majority of their devices,
>> which don't run HTTP servers.)
>
>
>
> Yes, significant learning there.  Has anyone any notion of the time between
> discovery, announcement, and say 80% patch rate for the modern generation of
> issues such as Heartbleed?

For answers to some related questions, see
  http://www.umiacs.umd.edu/~tdumitra/blog/2015/04/15/impact-of-shared-code-on-vulnerability-patching/
  http://www.umiacs.umd.edu/~tdumitra/blog/2014/11/05/certificate-reissues-and-revocations-in-the-wake-of-heartbleed/


More information about the cryptography mailing list