[SystemSafety] OpenSSL Bug
Mike Rothon
mike.rothon at certisa.com
Fri Apr 11 16:38:41 CEST 2014
Since news of heartbleed came to light a couple of questions have been
going through my mind:
1) How did we arrive at a situation where a large proportion of
seemingly mission / financially critical infrastructure relies on
software whose licence clearly states " This software is provided by the
openSSL project ``as is`` and any expressed or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed."?
2) Is it implicit that FOSS is less secure than proprietary software
because exploits can be found by both analysis and experimentation
rather than just experimentation? Or will this start a gold rush
analysis of FOSS by security organisations resulting in security levels
that are close to or better than proprietary software?
Finally, as its Friday afternoon:
According to Firefox, the security certificate for the server at
lists.techfak.uni-bielefeld.de expired on 30/09/2013 and the connection
is therefore untrusted!
Just in case anyone missed the news, the original source code for MS-DOS
and Word for Windows 1.1a is available online from the Computer History
Museum (http://www.computerhistory.org).
Mike
On 11/04/2014 13:25, Peter Bernard Ladkin wrote:
> The simplest, possibly the nicest, explanation of Heartbleed to date:
>
> http://xkcd.com/1354/
>
> PBL
>
> Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
> Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de
>
>
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20140411/4fe0f859/attachment-0001.html>
More information about the systemsafety
mailing list