[langsec-discuss] cross-posting a bit on Heartbleed

dan at geer.org dan at geer.org
Fri Apr 11 02:45:57 UTC 2014

This fragment from the randombit.net crypto list as this perhaps
the clearest "langsec" cue I've yet seen.  Perhaps it is time for
a broadside.


------- Forwarded Message

Date: Thu, 10 Apr 2014 09:29:52 +1000
From: "James A. Donald" <jamesd at echeque.com>
To: cryptography at randombit.net
Subject: Re: [Cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL

On 08/04/14 11:46, ianG wrote:
>> We have here a rare case of a broad break in a security protocol leading
>> to compromise of keys.

On 2014-04-09 21:53, Alan Braggins wrote:
> Though it's an implementation break, not a protocol break.

Not exactly.  The protocol failed to define a response to nonsensical
records.  The bug was that the protocol responded to invalid records
the same way as if they were valid.

The protocol should have said  "a valid record shall satisfy the
following requirements.  Invalid records shall be silently discarded
and all actions that depend on them silently terminated."

cryptography mailing list
cryptography at randombit.net

------- End of Forwarded Message

More information about the langsec-discuss mailing list