<div dir="ltr"><br>Appologies all...forgot the list!<div><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Brent Wallis</b> <span dir="ltr"><<a href="mailto:brent.wallis@gmail.com">brent.wallis@gmail.com</a>></span><br>
Date: Mon, Apr 14, 2014 at 11:06 PM<br>Subject: Re: [Linux-aus] Post in ZDnet re: Heartbleed<br>To: Kathy Reid <<a href="mailto:kathy@kathyreid.id.au">kathy@kathyreid.id.au</a>><br><br><br><div dir="ltr">Hey Kathy,<div>
Interesting article...tks.</div><div>but...</div><div>..can we ignore though the community derision of the management of OpenSSL?</div><div>A simple search throws up much derisive comment about the maintainers....a lot from within the community.</div>
<div><br></div><div>Lets face it, this is a serious issue... The CloudFlare challenge has shown that private key capture is very possible...and quite honestly, the revocation/reissue resource requirement alone may end up reflecting badly due to the "someone needs to be blamed" syndrome in such circumstances.</div>
<div><br></div><div><br></div><div>Revocation and reallocation of certs will take weeks.....perhaps we have not seen the end of it on front pages of newspapers?</div><div><br></div><div>BW</div><div><br></div><div>PS: I have also experienced the first ever XKCD post that I did not have a chuckle at beyond 3 seconds...has to be the most "to the point" info on this anywhere:</div>
<div><a href="http://xkcd.com/1354/" target="_blank">http://xkcd.com/1354/</a><br></div><div><br></div><div>PPS: Who is to say that closed source SSL implements have not copied OpenSSL?... At least we know the threat....</div>
<div><br></div>
<div><br></div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Apr 14, 2014 at 10:37 PM, Kathy Reid <span dir="ltr"><<a href="mailto:kathy@kathyreid.id.au" target="_blank">kathy@kathyreid.id.au</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi everyone,<br>
<br>
There's a post on ZDnet that posits that OpenSSL benefitted little from<br>
being open source;<br>
<a href="http://www.zdnet.com/did-open-source-matter-for-heartbleed-7000028378/" target="_blank">http://www.zdnet.com/did-open-source-matter-for-heartbleed-7000028378/</a><br>
I strongly disagree with a lot of the points in the article, but am<br>
interested in the thoughts of others.<br>
<br>
* If OpenSSL wasn't open source, the vulnerability may never have been found<br>
* The CVE was dealt with transparently and openly<br>
* The patch was freely available when the CVE was made public<br>
* The specific code vulnerability, now patched, will make other C codes<br>
more secure as people learn from the error<br>
<br>
--<br>
--<br>
<br>
Kathy Reid<br>
<a href="mailto:kathy@kathyreid.id.au" target="_blank">kathy@kathyreid.id.au</a><br>
0418 130 636<br>
@kathyreid<br>
<br>
<br>
_______________________________________________<br>
linux-aus mailing list<br>
<a href="mailto:linux-aus@lists.linux.org.au" target="_blank">linux-aus@lists.linux.org.au</a><br>
<a href="http://lists.linux.org.au/listinfo/linux-aus" target="_blank">http://lists.linux.org.au/listinfo/linux-aus</a><br>
</blockquote></div><br></div>
</div></div></div><br></div></div>