Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Many said this in hindsight, but for OpenSSL it was no lack of people that said this in foresight as well, i.e. they complained about the shoddy code quality of OpenSSL long before the heartbleed attack. One of those was Poul Henning Kamp, that have mentioned OpenSSL as a problem in many talks before Heartbleed was discovered. He is not alone. It is also quite well known that OpenSSL have had a unusually high number vulnerabilities in its history, mostly because its low quality. I have read the code, even before the heartbleed bug was introduced, and I was not surprised that this could happen. Some of the code that lead to the heartbleed bug was made to bypass security measures done by the operating systems to make it hard to exploit such vulnerabilities, and the maintainers did this instead of fixing the problem.

So why have nobody fixed them. I guess one of the reason is that the codebase is broken beyond repair, and it was not just to "provide patches". In fact a major rewrite or reworking of the code was required, and this is what the people behind LibreSSL currently are doing.

Another reason is that people (and companies) generally are not willing to pay for security, and does not know when something is secure or not. Thus for something that works, but is insecure, the incentive for doing something about it is missing. Security vulnerabilities is only theoretical for most people.



It's been linked by me (and others) at times, but PHK's recent talk at FOSDEM[1] is something every engineer needs to see. In the talk, he not only has a well-reasoned warning about OpenSSL months before Hearbleed, but he makes a pretty convincing argument about the "PSYOPS For Nerds" we could be witnessing in this very thread.

Are the nerds about to fix some of the security holes you've been exploiting? Easy; just distract them with yet another "gpl vs bsd" bikeshed argument! They never get tired of it!

[1] http://video.fosdem.org/2014/Janson/Sunday/NSA_operation_ORC...




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: