Re: [SystemSafety] OpenSSL Bug

From: Mike Rothon < >
Date: Fri, 11 Apr 2014 15:38:41 +0100


Since news of heartbleed came to light a couple of questions have been going through my mind:
  1. How did we arrive at a situation where a large proportion of seemingly mission / financially critical infrastructure relies on software whose licence clearly states " This software is provided by the openSSL project ``as is`` and any expressed or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed."?
  2. Is it implicit that FOSS is less secure than proprietary software because exploits can be found by both analysis and experimentation rather than just experimentation? Or will this start a gold rush analysis of FOSS by security organisations resulting in security levels that are close to or better than proprietary software?

Finally, as its Friday afternoon:

According to Firefox, the security certificate for the server at lists.techfak.uni-bielefeld.de expired on 30/09/2013 and the connection is therefore untrusted!

Just in case anyone missed the news, the original source code for MS-DOS and Word for Windows 1.1a is available online from the Computer History Museum (http://www.computerhistory.org).

Mike

On 11/04/2014 13:25, Peter Bernard Ladkin wrote:
> The simplest, possibly the nicest, explanation of Heartbleed to date:
>
> http://xkcd.com/1354/
>
> PBL
>
> Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
> Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de
>
>
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety_at_xxxxxx



The System Safety Mailing List
systemsafety_at_xxxxxx Received on Fri Apr 11 2014 - 16:38:57 CEST

This archive was generated by hypermail 2.3.0 : Fri Apr 19 2019 - 13:17:06 CEST