[SystemSafety] OpenSSL Bug

Mike Rothon mike.rothon at certisa.com
Fri Apr 11 16:38:41 CEST 2014


Since news of heartbleed came to light a couple of questions have been 
going through my mind:

1) How did we arrive at a situation where a large proportion of 
seemingly mission / financially critical infrastructure relies on 
software whose licence clearly states " This software is provided by the 
openSSL project ``as is`` and any expressed or implied warranties, 
including, but not limited to, the implied warranties of merchantability 
and fitness for a particular purpose are disclaimed."?

2) Is it implicit that FOSS is less secure than proprietary software 
because exploits can be found by both analysis and experimentation 
rather than just experimentation? Or will this start a gold rush 
analysis of FOSS by security organisations resulting in security levels 
that are close to or better than proprietary software?

Finally, as its Friday afternoon:

According to Firefox, the security certificate for the server at 
lists.techfak.uni-bielefeld.de expired on 30/09/2013 and the connection 
is therefore untrusted!

Just in case anyone missed the news, the original source code for MS-DOS 
and Word for Windows 1.1a is available online from the Computer History 
Museum (http://www.computerhistory.org).

Mike

On 11/04/2014 13:25, Peter Bernard Ladkin wrote:
> The simplest, possibly the nicest, explanation of Heartbleed to date:
>
> http://xkcd.com/1354/
>
> PBL
>
> Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
> Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de
>
>
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20140411/4fe0f859/attachment-0001.html>


More information about the systemsafety mailing list