Heartbleed Articles

I've been following the heartbleed bug in OpenSSL, for a developer it is quite an eye opener.  It is just a common buffer overrun that returns sensitive data to the client.  It is fascinating to think that so much ofthe security on the internet depends on this - and how fragile the whole ecosystem is.

There are some interesting implications.  Firstly over reliance on code review (it is hard to think like an attacker when reviewing - you are mainly concerned with "is this doing the right thing").   Secondly the lack of funding for this project that many corporates are using is pretty shameful.  Thirdly it shows the inevitble limitations of static analysis which OpenSSL has been exposed to.

Here is an XKCD which sums up the problem.

http://xkcd.com/1354/

Here is a technical article on how this type of flaw could be detected/avoided:

http://www.dwheeler.com/essays/heartbleed.html

Here is an article about someone trying to exploit the bug:

http://arstechnica.com/security/2014/04/how-i-used-heartbleed-to-steal-a-sites-private-crypto-key/