Not discrediting Open Source Software, but nothing is 100% safe.

  • andrew@lemmy.stuart.fun
    link
    fedilink
    English
    arrow-up
    29
    arrow-down
    1
    ·
    edit-2
    1 year ago

    Man we would have been so much better with plaintext communications everywhere, right?

    You cite heartbleed as a negative but a) SSL would never have proliferated as it has without openssl and b) the fix was out in under a week and deployed widely even faster.

    The alternative, proprietary crypto, would have all the same problems including the current laggards, but likely without everyone understanding what happened and how bad it was. In fact, it probably wouldn’t have been patched because some manager would’ve decided it wasn’t worth it vs new features.

    • Muddybulldog@mylemmy.win
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      I think the point that’s more relevant to the original post is that while the speed with which fixes were rolled out were admirable, the flaw existed for years before anybody noticed it.

      • TheYang@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        it would have been way worse, because it would have been less discoverable in a closed source software by someone somewhere

        • Muddybulldog@mylemmy.win
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          Devil’s Advocate…

          Codenomicon, the company who actually named the flaw, didn’t find the bug via the source code. They were building a security product and when testing that product against their own servers exposed the flaw. Open Source was not a factor in this discovery.

          Google HAD discovered the flaw via the source code, exactly two days earlier.

          In this case, the bug was 0.267379679% more discoverable due to being open source versus being closed.

    • damnthefilibuster@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      the fix was out in under a week

      I don’t disagree with this, but your point about automatic audits… It’s always a learning curve to prevent silly shit like heartbleed from getting into the system. But the idea that there was no check against this when it was first PR’d seems almost absurd. This is why sticking hard to API and design specs and building testing around them is so important.

      I’m sure they learnt a valuable lesson there.

      • andrew@lemmy.stuart.fun
        link
        fedilink
        English
        arrow-up
        12
        ·
        edit-2
        1 year ago

        I’m not mad, just disappointed.

        In all seriousness though, I just disagree and I think it’s important to note the inaccuracy of thinking that a bug, which is famous only because it was deliberately publicized and deliberately open source, is anything but a huge win compared to what would likely have played out had the most popular SSL library in the world been proprietary and closed.

        • bloodfart@lemmy.ml
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          3
          ·
          1 year ago

          What do you disagree with? Heartbleed was a vulnerability in OpenSSL. It affected millions of computers.

            • bloodfart@lemmy.ml
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              1 year ago

              The only person in the whole thread talking about proprietary software is that guy.

              This is a thread about how the accepted wisdom that many eyes make open source software more secure is based on the assumption that someone else is effectively auditing the code base which has been proven over and over again not to be true.

              E: I just looked at this thread and now everyone is talking about proprietary software. It would be cool if the progression of time made fools of us all, but it looks like it’s just me this time.