[pro] Heartbleed?

David McClain dbm at refined-audiometrics.com
Wed Apr 23 13:13:03 UTC 2014


> . The design is just plain wrong.

Is that statement the benefit of hindsight knowledge, or do you have a more intelligent thought process behind it? (I can imagine the all-knowing smirk in the background, but I'd really like to know :-)

- DM

On Apr 23, 2014, at 01:06 AM, Max Rottenkolber <max at mr.gy> wrote:

>> From what I understand about the bug (I have not seen the code) it sounds
> like data length information
>> arrived both directly and indirectly in the client message and that a
> conflict between them was not
>> scrutinized. 
> 
> No. The bug was that the keep alive protocol in SSL mandates the server to
> echo arbitrary data back to the client. The bounds checks were wrong too,
> but at that stage it really doesn't matter. The design is just plain wrong.
> 
> 
> 
> _______________________________________________
> pro mailing list
> pro at common-lisp.net
> http://common-lisp.net/cgi-bin/mailman/listinfo/pro
> 

Dr. David McClain
dbm at refined-audiometrics.com



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.common-lisp.net/pipermail/pro/attachments/20140423/f6b4b93c/attachment.html>


More information about the pro mailing list