On Fri, Apr 11, 2014 at 03:07:09PM +0200, tpb-crypto@laposte.net wrote:
Message du 11/04/14 05:44 De : dan@geer.org
It makes me wonder if the NSA was involved in inserting this bug into OpenSSL clients and servers.
If they did it, someone got a promotion. If they are as surprised as you are, someone got fired.
In the meantime, tell me that gcc is so compact and well vetted that there is no room in it for insertions...
This article makes an interesting point, we got to dig a bit more from our pockets:
http://www.wired.com/2014/04/heartbleedslesson/
The second point I wish to make is the surprise by which the original developer took the issue. Maybe, just maybe, he did not create that flaw at all.
It could have been inserted into the OpenSSL repository through a backdoor ... or why would the spies by so interested in hacking professors that deal with crypto and whose word is trusted by the masses? Like they did to a Belgian cryptographer? Was that fellow nerd a turrist of sorts?
It may be possible that Segelmann did his job correctly, that the reviewer did his job correctly, but someone unknown may have changed it just a little bit before delivery.
Besides funding projects like OpenSSL better, we should start considering the security of the repositories themselves.
What ya fellow coders think?
I certainly don't trust repositories ;) btw, I think this heartbleed story is exaggerated. If it were code execution it would have been much worse. browser vendors fix _a lot_ of "unspecified memory hazards" every few months. IMO getting owned by a browser bug is much more likely than by heartbleed. Is there a significant rise of revoked certs caused by HB paranoia?