[Lord Dave]

Why do you guys think it took the open source community so long to find this exploit?  And how did it even GET to the point of being an exploit?

[Rushy]

The NSA.

[xasop]

You ask those questions as if this surprises you.

[markjo]

Are you saying that it shouldn't be a surprise that a know bug this serious should take so long to fix?

[xasop]

Are you saying that it shouldn't be a surprise that a know bug this serious should take so long to fix?

...

[juner]

This is why everyone should use Microsoft IIS for their web server needs.

[Lord Dave]

As I understand it, the bug basically allowed the client to define the length of the heartbeat reply even though the data requested may be a different size.

That's kinda dumb.

[Rushy]

Heartbleed wouldn't have happened if everyone used Assembly like a real man.

[Lord Dave]

Heartbleed wouldn't have happened if everyone used Assembly like a real man.

But are there any real men in programming? 

[xasop]

As I understand it, the bug basically allowed the client to define the length of the heartbeat reply even though the data requested may be a different size.

That's kinda dumb.

Correct, but bugs happen all the time. In all the many millions of lines of open-source code written each year, there are going to be many thousands of bugs, some of them severe. Some of those are going to appear in crypto software, and of those, one every few years is going to make it into a production release without being noticed because neither coders nor code reviewers are perfect.

People make mistakes. If you don't want to risk using buggy software, switch off your computer.

[Lord Dave]

As I understand it, the bug basically allowed the client to define the length of the heartbeat reply even though the data requested may be a different size.

That's kinda dumb.

Correct, but bugs happen all the time. In all the many millions of lines of open-source code written each year, there are going to be many thousands of bugs, some of them severe. Some of those are going to appear in crypto software, and of those, one every few years is going to make it into a production release without being noticed because neither coders nor code reviewers are perfect.

People make mistakes. If you don't want to risk using buggy software, switch off your computer.

But I thought the whole point of open source was so that anyone can see the code and find bugs.  I can understand it making it into production but it seems odd that not only was it obvious to me that this is a problem (clients dictating memory return?) But that it took 2 years of the open source community having full access to the source code before it was found.  I could understand 6 months but 2 years is a long time to not read and audit one of the most important pieces of software on the net.

[xasop]

But I thought the whole point of open source was so that anyone can see the code and find bugs.

That is one of its advantages. If OpenSSL were proprietary, this bug would probably still exist.

I can understand it making it into production but it seems odd that not only was it obvious to me that this is a problem (clients dictating memory return?)

It's obvious to anyone after someone has found the problem. Can you say with absolute certainty that it would have been obvious to you reading the code with no knowledge of the bug?

But that it took 2 years of the open source community having full access to the source code before it was found.  I could understand 6 months but 2 years is a long time to not read and audit one of the most important pieces of software on the net.

Why does that surprise you?

[Rushy]

Believe it or not "open source" is not a catch-all security property. No one is sitting around all day looking at millions of lines of code in open source projects and trying to find bugs, if they are, they have a lot of time on their hands or they're getting paid to do it.

[Lord Dave]

I can understand it making it into production but it seems odd that not only was it obvious to me that this is a problem (clients dictating memory return?)

It's obvious to anyone after someone has found the problem. Can you say with absolute certainty that it would have been obvious to you reading the code with no knowledge of the bug?

I can honestly say this: if the code or coder tells me that the client determines the length of the heartbeat separately from the heartbeat signal, I'd say its a problem.  I pretty much say that for anything really.  If the server isn't calculating length from the data given then you're just asking for problems.
Put it this way: if you had a subroutine that accepted an array of unknown length as input, would you have that subroutine also accept the length of the array as a separate variable or would you have the subroutine calculate that yourself?

But that it took 2 years of the open source community having full access to the source code before it was found.  I could understand 6 months but 2 years is a long time to not read and audit one of the most important pieces of software on the net.

Why does that surprise you?

1. Reading this code is a great way to learn about encrypted connections so I'd see it being read by a lot of students.
2. As something that is vastly important to a lot of very large companies, I can see the code being poured over by people looking for exploits: both for good and not so good reasons.

[xasop]

I can honestly say this: if the code or coder tells me that the client determines the length of the heartbeat separately from the heartbeat signal, I'd say its a problem.  I pretty much say that for anything really.

That isn't an answer to my question.

If the server isn't calculating length from the data given then you're just asking for problems.

You mean like how every binary-safe protocol ever works, including IP itself?

Put it this way: if you had a subroutine that accepted an array of unknown length as input, would you have that subroutine also accept the length of the array as a separate variable or would you have the subroutine calculate that yourself?

It depends on the nature of the contents of the array. If it's binary data and not a null-terminated string, you have to pass the length as a separate variable when you're working with C because there is no way to "calculate" the length of a piece of memory. All you get is a pointer; you need a size as well to know where to read up to.

You could use strlen() if you're passing a string and not binary data, but that's inefficient, particularly for large strings.

1. Reading this code is a great way to learn about encrypted connections so I'd see it being read by a lot of students.
2. As something that is vastly important to a lot of very large companies, I can see the code being poured over by people looking for exploits: both for good and not so good reasons.

That's probably true on both counts, which is why it's generally the subtler bugs that go unnoticed. In this case, all the existing code was doing the right thing; the bug was that there was missing code needed to do all the right things. It's a lot harder to read code and know what is missing than to see mistakes in what's already there.

Put another way, reading the buggy subroutines in isolation isn't sufficient to understand the problem. You need to understand where the function's inputs are coming from and what the server state is at the time it's executed before you realise that it's not doing all the validation it should be. Not just anyone skim-reading the code would pick up on it, especially if they're not specifically looking for bugs.

[garygreen]

This is on point: http://www.vox.com/2014/4/12/5601828/we-massively-underinvest-in-internet-security

[xasop]

This is on point: http://www.vox.com/2014/4/12/5601828/we-massively-underinvest-in-internet-security

That article is pretty spot on, on all counts. The only thing I'd point out (in response to paragraph 3) is that it's not just the American economy that's at stake; this is an international problem.

[Fortuna]

Heartbleed wouldn't have happened if everyone used Assembly like a real man.

But are there any real men in programming?

Fortran

[markjo]

Heartbleed wouldn't have happened if everyone used Assembly like a real man.

But are there any real men in programming?

Fortran

I remember learning Fortran in college.  Fun times.  We had to learn how to write a sort routine and the teacher showed us the bubble sort.  Me, being the smart ass that I am, decided to change a few lines and turn it into an exchange sort, which works a whole lot quicker.  It pissed off the teacher because he actually had to read my code to make sure that it worked right on the final exam.

[Particle Person]

Heartbleed wouldn't have happened if everyone used Assembly like a real man.

But are there any real men in programming?

Fortran

I remember learning Fortran in college.  Fun times.  We had to learn how to write a sort routine and the teacher showed us the bubble sort.  Me, being the smart ass that I am, decided to change a few lines and turn it into an exchange sort, which works a whole lot quicker.  It pissed off the teacher because he actually had to read my code to make sure that it worked right on the final exam.

tl;dr