[Linux-aus] Fwd: Post in ZDnet re: Heartbleed
brent.wallis at gmail.com
Mon Apr 14 23:07:50 EST 2014
Appologies all...forgot the list!
---------- Forwarded message ----------
From: Brent Wallis <brent.wallis at gmail.com>
Date: Mon, Apr 14, 2014 at 11:06 PM
Subject: Re: [Linux-aus] Post in ZDnet re: Heartbleed
To: Kathy Reid <kathy at kathyreid.id.au>
..can we ignore though the community derision of the management of OpenSSL?
A simple search throws up much derisive comment about the maintainers....a
lot from within the community.
Lets face it, this is a serious issue... The CloudFlare challenge has shown
that private key capture is very possible...and quite honestly, the
revocation/reissue resource requirement alone may end up reflecting badly
due to the "someone needs to be blamed" syndrome in such circumstances.
Revocation and reallocation of certs will take weeks.....perhaps we have
not seen the end of it on front pages of newspapers?
PS: I have also experienced the first ever XKCD post that I did not have a
chuckle at beyond 3 seconds...has to be the most "to the point" info on
PPS: Who is to say that closed source SSL implements have not copied
OpenSSL?... At least we know the threat....
On Mon, Apr 14, 2014 at 10:37 PM, Kathy Reid <kathy at kathyreid.id.au> wrote:
> Hi everyone,
> There's a post on ZDnet that posits that OpenSSL benefitted little from
> being open source;
> I strongly disagree with a lot of the points in the article, but am
> interested in the thoughts of others.
> * If OpenSSL wasn't open source, the vulnerability may never have been
> * The CVE was dealt with transparently and openly
> * The patch was freely available when the CVE was made public
> * The specific code vulnerability, now patched, will make other C codes
> more secure as people learn from the error
> Kathy Reid
> kathy at kathyreid.id.au
> 0418 130 636
> linux-aus mailing list
> linux-aus at lists.linux.org.au
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the linux-aus