Monday, April 21, 2014


Heartbleed (CVE-2014-0160) is nothing short of an Internet disaster. Here's why:

1. In a noble effort to clean up OpenSSL, the OpenBSD team is reportedly making hundreds of changes per week. Unfortunately, that means new bugs are being introduced no matter how careful the review. You cannot test in quality — it has to be designed in from the beginning. What we should be doing is starting over from scratch with a robust programming languageC and its progeny aren't suitable for mission-critical programming. (Ada would be a good alternative.)

2. History teaches that a substantial percentage of compromised machines won't ever get patched and will continue to be exploited. Until we all start taking security seriously and come up with a way to rapidly push out a mandatory fix to all affected machines (which ain't gonna happen anytime soon), we're going to have to live with fundamental lack of security. The lesson here is that transmitting sensitive information over the Internet is folly without careful offline strong encryption.

3. Heartbleed is at least partly a consequence of the cruel hoax of free software, where talented individuals are tricked into working without monetary compensation to the great benefit of commercial enterprises. There needs to be some way to fund essential projects for the public good, especially because we can't afford to continue to rely and depend on wishful thinking.

No comments:

Post a Comment