Re: [SystemSafety] OpenSSL Bug

From: Dewi Daniels < >
Date: Tue, 15 Apr 2014 17:40:12 +0100


In the case of both the Heartbleed Bug and the Apple SSL vulnerability that was reported earlier this year, I find it shocking how little verification must have been carried out before the software was shipped and installed on a very large number of web sites and mobile devices. In the safety-critical world, we carry out extensive verification before a software intensive system is cleared to enter service. In the case of OpenSSL, organisations installed software that came with no warranty. The final cost of the Heartbleed Bug could easily surpass the financial cost of an aircraft accident. If it doesn't, we've been lucky this time.  

I suggest that open source software licenses should be expanded to mandate that open source software must be distributed with its verification evidence, not just the source code. That way, potential users could assess for themselves how well the software had been verified and be in a position to carry out additional verification should that be necessary. After all, the Agile Manifesto states "We have come to value *working* software over comprehensive documentation".  


Dewi Daniels | Managing Director | Verocel Limited

Direct Dial +44 1225 718912 | Mobile +44 7968 837742 | Email

Verocel Limited is a company registered in England and Wales. Company number: 7407595. Registered office: Grangeside Business Support Centre, 129 Devizes Road, Hilperton, Trowbridge, United Kingdom BA14 7SZ  

From: systemsafety-bounces_at_xxxxxx [mailto:systemsafety-bounces_at_xxxxxx Mike Rothon
Sent: 11 April 2014 15:39
To: systemsafety_at_xxxxxx Subject: Re: [SystemSafety] OpenSSL Bug  

Since news of heartbleed came to light a couple of questions have been going through my mind:

  1. How did we arrive at a situation where a large proportion of seemingly mission / financially critical infrastructure relies on software whose licence clearly states " This software is provided by the openSSL project ``as is`` and any expressed or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed."?
  2. Is it implicit that FOSS is less secure than proprietary software because exploits can be found by both analysis and experimentation rather than just experimentation? Or will this start a gold rush analysis of FOSS by security organisations resulting in security levels that are close to or better than proprietary software?

Finally, as its Friday afternoon:

According to Firefox, the security certificate for the server at expired on 30/09/2013 and the connection is therefore untrusted!

Just in case anyone missed the news, the original source code for MS-DOS and Word for Windows 1.1a is available online from the Computer History Museum (


On 11/04/2014 13:25, Peter Bernard Ladkin wrote:

The simplest, possibly the nicest, explanation of Heartbleed to date:  

PBL   Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319

The System Safety Mailing List

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Tue Apr 15 2014 - 18:43:09 CEST

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:06 CEST