Heartbleed - the code that broke Internet security

[Kevin Lancaster]

Single line of code that broke online security

OpenSSL’s security loophole, dubbed Heartbleed, has revealed a fundamental truth about the internet: we should not take goodwill for granted

 

[Saba'a]

Those pointing fingers should have tested it. Just a pity that open source community didnt pick it up earlier. But lesson learnt and so we will improve until next issue

 

[Flojo]

And in other news, the OpenBSD guys is diving in and fixing up this mess.

http://undeadly.org/cgi?action=article&sid=20140418063443
To view the stats : http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-src/log/lib/libssl

 

[biometrics]

Critical code like this should surely be peer reviewed?!

 

[Saba'a]

Yep and surprising it wasn't.

 

[Tinuva]

Pretty certain it was peer reviewed, but the peer reviewer didn't pick it up at the time, that is, if you read the story the developer wrote about that piece of code.

 

[biometrics]

What language is it written in?

 

[Vice]

Those pointing fingers should have tested it. Just a pity that open source community didnt pick it up earlier. But lesson learnt and so we will improve until next issue

+1

 

[Vice]

Big org's are benefitting unduly it seems from the efforts of a few under resourced folk. If these products are to interface with major programs, then they owe to themselves and their users to verify and do quality assurance. This is the internet, every little vulnerability affects us all, irrespective of who uses it...

 

[Saba'a]

Agreed

 

[semaphore]

What language is it written in?

C/C++

 

[Wasabee!]

The heading is misleading, it did not break the internet. In fact it was just a media frenzy like the Y2K bug.

 

[2026]

The heading is misleading, it did not break the internet. In fact it was just a media frenzy like the Y2K bug.

Over 2/3rds of all Internet sites could have effected from this. So having possibly 2/3rds of all (secure) websites critically breeched is not just "a media frenzy".

 

[qwertydudeza]

The heading is misleading, it did not break the internet. In fact it was just a media frenzy like the Y2K bug.

How was Y2K a media frenzy? It was a very real bug affecting a lot of systems. The fact virtually everyone of importance fixed it is testament that things were fixed and planes never fell from the sky type dooms day.

 

[qwertydudeza]

Critical code like this should surely be peer reviewed?!

What you expect a free software of 4 guys doing part time must quality control dept.
The reality, people expect to much for free. $2000 donations in a year but then when there is a bug it is there fault. Get what you pay for. What trust worthy product, then pay for it.

 

[cfilorux]

Deutsch natürlich

What language is it written in?

I had a giggle that you asked. (LOL) Der Seggelmann ist Deutsch. I think that while the NSA was watching Angela Merkel, she was watching them too.

 

[Easter Bunny]

if you don't like free software because of all the bugs, then go buy the thing with all the bugs from somewhere.

poop happens. how come big corporations (that no doubt have their own developers) can take free software created by unpaid voluteers and just implement it without running it in a testing environment first?

 

[hyperian]

$15 million seems a bit steep, but then again, the estimated cost to redevelop the Linux kernel is $3 billion (as of 2012 - http://www.dwheeler.com/essays/linux-kernel-cost.html).

 

[zippy]

if you don't like free software because of all the bugs, then go buy the thing with all the bugs from somewhere.

poop happens. how come big corporations (that no doubt have their own developers) can take free software created by unpaid voluteers and just implement it without running it in a testing environment first?

Seems like the entire planet. For 2 years. Well, except Apple, Paypal, Microsoft amongst others....

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

 

[elvis_presley]

Critical code like this should surely be peer reviewed?!

This is one of the fundamental problems with open source software. The theory is there's tons of eyes looking at the code, but after this and the GnuTLS bug, it's quite apparent there are really very people working on the code, and proper review never happens for years, if ever.

If you look at the professional code review that was done of Truecrypt, it just leaves you shaking your head. Shameful. I think 2014 will mark a turning point in OSS, people who use it will HAVE to start giving back either in money or time. There are entities with unlimited resources (NSA, Chinese, Russian, USA government) who can hire as many professional coders as they want and go actively looking for exploits... if they haven't been already. Terrifying, really - as there have to be hundreds of critical holes like this in the code. It's hard to trust it completely anymore.