[SystemSafety] OpenSSL Bug

[Patrick Graydon]

On 11 Apr 2014, at 17:45, Ian Broster <ianb at rapitasystems.com> wrote:

> Part a) If you want people to assume some liability for how SOMEONE ELSE USES their software, then you're going to have to pay an awful lot more for your software.

There is a difference between taking on full liability for what anyone else does with software and taking responsibility for not exposing users to unreasonable and undisclosed risk.

I don’t expect vendors to predict *every* threat.  But we are talking about SSL here.  It is beyond question that the vendors know that someone might try to break the encryption to steal the information that is being made secrete.

I don’t expect vendors to consider *all* potential forms of vulnerability.  But given the history of security vulnerabilities, it is equally beyond question that an unchecked input risks facilitating that theft.

I also don’t expect *perfection* in the defence against every kind of attack.  But some basic analyses, coding precautions, and testing of forms that were standard for other critical software decades ago doesn’t strike me as particularly unreasonable considering the massive potential for damage.

In short, this was a predictable threat and a known form of attack and could have been prevented with techniques that were clearly warranted given what was known about risk.  There is zero excuse for not employing those techniques.

— Patrick