Most Recent Posts

Index of Older Posts


Who needs the NSA, we have Heartbleed!

There has been a lot written about the NSA collecting our metadata and generally snooping in our private communications and, no doubt, this is an important issue.  But we don’t need the NSA, we have our own human failings!  Simple oversights and coding errors cause huge issues.  Witness two recent very significant security flaws:

  1. Apple’s very serious flaw in both iOS and Max OS X security related to a single extra “GOTO” statement, almost certainly completely accidental. 
  2. Heartbleed, where a programmer by the name of Robin Seggelmann just plain missed checking for an overrun condition while writing the code for the heartbeat function of TLS that keeps the connection alive.  

There’s an incredibly good cartoon done by Randall Munroe on, which explains Heartbleed better than I could, and in many (many!) fewer words.



If you want a more general and less technical explanation you might like the New York Times article, or for a more technical explanation, you can see Gibson’s explanation (which is where I saw the reference to the cartoon!).

Humans are imperfect, and despite our very best efforts, it’s virtually impossible to write flawless code.  And, as we have recently seen, inadvertantly introduce serious security flaws.  It's unclear to me whether there is any hope of truly secure online commerce with our present internet structure, which was never envisioned or designed with security in mind!  Back to paper?  It's not a completely crazy notion!



PrintView Printer Friendly Version

EmailEmail Article to Friend

References (2)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
« Mitigating Risk | Main | Microsoft Updates Privacy Policy after taking heat for Searching Blogger’s Hotmail to Find Windows 8 Leak »