[SystemSafety] OpenSSL Bug
Dewi Daniels
ddaniels at verocel.com
Tue Apr 15 18:40:12 CEST 2014
Mike,
In the case of both the Heartbleed Bug and the Apple SSL vulnerability that
was reported earlier this year, I find it shocking how little verification
must have been carried out before the software was shipped and installed on
a very large number of web sites and mobile devices. In the safety-critical
world, we carry out extensive verification before a software intensive
system is cleared to enter service. In the case of OpenSSL, organisations
installed software that came with no warranty. The final cost of the
Heartbleed Bug could easily surpass the financial cost of an aircraft
accident. If it doesn't, we've been lucky this time.
I suggest that open source software licenses should be expanded to mandate
that open source software must be distributed with its verification
evidence, not just the source code. That way, potential users could assess
for themselves how well the software had been verified and be in a position
to carry out additional verification should that be necessary. After all,
the Agile Manifesto states "We have come to value *working* software over
comprehensive documentation".
Yours,
Dewi Daniels | Managing Director | Verocel Limited
Direct Dial +44 1225 718912 | Mobile +44 7968 837742 | Email
<mailto:ddaniels at verocel.com> ddaniels at verocel.com
Verocel Limited is a company registered in England and Wales. Company
number: 7407595. Registered office: Grangeside Business Support Centre, 129
Devizes Road, Hilperton, Trowbridge, United Kingdom BA14 7SZ
From: systemsafety-bounces at lists.techfak.uni-bielefeld.de
[mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of
Mike Rothon
Sent: 11 April 2014 15:39
To: systemsafety at lists.techfak.uni-bielefeld.de
Subject: Re: [SystemSafety] OpenSSL Bug
Since news of heartbleed came to light a couple of questions have been going
through my mind:
1) How did we arrive at a situation where a large proportion of seemingly
mission / financially critical infrastructure relies on software whose
licence clearly states " This software is provided by the openSSL project
``as is`` and any expressed or implied warranties, including, but not
limited to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed."?
2) Is it implicit that FOSS is less secure than proprietary software because
exploits can be found by both analysis and experimentation rather than just
experimentation? Or will this start a gold rush analysis of FOSS by security
organisations resulting in security levels that are close to or better than
proprietary software?
Finally, as its Friday afternoon:
According to Firefox, the security certificate for the server at
lists.techfak.uni-bielefeld.de expired on 30/09/2013 and the connection is
therefore untrusted!
Just in case anyone missed the news, the original source code for MS-DOS and
Word for Windows 1.1a is available online from the Computer History Museum
(http://www.computerhistory.org).
Mike
On 11/04/2014 13:25, Peter Bernard Ladkin wrote:
The simplest, possibly the nicest, explanation of Heartbleed to date:
http://xkcd.com/1354/
PBL
Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld,
33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319 www.rvs.uni-bielefeld.de
<http://www.rvs.uni-bielefeld.de>
_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE
<mailto:systemsafety at TechFak.Uni-Bielefeld.DE>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20140415/b17bc3a1/attachment.html>
More information about the systemsafety
mailing list