Obelix   11 #37 Posted May 16, 2014 OK, OK. I give in. It wasn't a windup but from what you said I suppose I must be stupid. I'll send back my two degrees and get a job stacking shelnes. Sorry if I upset you, but thanks to everyone who actually helped me understand.  When everyone does it the same way, and that way is different to what you think is right then there is probably a very good reason for that.  In this case it's because  A) there are very good know and trusted ways of preventing the problem (which were not followed in this case - hence the bug)  B) those controls result in a far faster operation of the system than multiple malloc calls which are expensive in terms of processor cycles. Share this post Link to post Share on other sites Share this content via...
woolyhead   15 #38 Posted May 16, 2014 Ouch, but I deserved it. I did throw my dummy out, didn't I. What happened , as you can see for yourself if you want, is that ghozer was explaining how heartbleed works, very helpfully to me, when probedb (dated "yesterday") chimed in claiming I'd said somebody was wrong about RAM stores or something, but I didn't say that. Later on Cyclone gave me sarcasm, suggesting that although I understand something I still like to ask questions about it and then argue. That is also untrue. I don't. Dave h-j then came back with more sarcasm but he did also give me some helpful links. Thanks, Dave h-j. Let me say it clearly: I am a genuine seeker after knowledge about heartbleed. I'm not interested in arguing. Asking further questions after someone kindly tells me what they know in reply to my original question seems to me to be a valid thing to do. It isn't arguing, in my book. So, are we all ok now? Does anyone want to argue some more/ I don't. Share this post Link to post Share on other sites Share this content via...
Cyclone   10 #39 Posted May 17, 2014 Ghozer got it wrong for a start. I was sarcastic at the end, when you were declaring that you had a better design for memory controllers than the one currently used, after a brief education by a bunch of non experts on a forum.  Heartbleed has been thoroughly explained though, and without sarcasm. Share this post Link to post Share on other sites Share this content via...
woolyhead   15 #40 Posted June 1, 2014 (edited) Could someone please tell me which server is referred to in accounts on this forum's topic of how the perpetrators of heartbleed get hold of someone's bank password. I've read everything that's been said so far so please let me explain my question a bit more. I read that there are many servers on the internet so which server in any given setup between a bank and my computer has access to the sender's bank password? Is it only the one closest to the sender or to the bank or all of them in the path? Does every server in any path between sender and bank put into RAM whatever password is being sent to the bank? Don't the routers drop out of the path after the sender's computer and the bank's computer are talking to each other? Thanks guys. I really want to find the answer to this problem. Edited June 7, 2014 by woolyhead Share this post Link to post Share on other sites Share this content via...
altus   540 #41 Posted June 1, 2014 Could someone please tell me which server is referred to in accounts on this forum's topic of how the perpetrators of heartbleed get hold of someone's bank password. I've read everything that's been said so far so please let me explain my question a bit more. I read that there are many servers on the internet so which server in any given setup has access to the sender's bank password? Is it only the one closest to the sender or to the bank or all of them in the path? Does every server in any path between sender and bank put into RAM whatever password is being sent to the bank? Don't the senders drop out of the path after the sender's computer and the bank's computer are talking to each other? I hope I've made my question clear as I wouldn't like anyone to accuse me of arguing by asking any secondary question. Thanks guys.  The servers people are talking about are ones hosting the site you are connecting to - so the bank's in your example. Because the data is encrypted anything along the way can't read it.  If you want to all the details it requires a detailed understanding of how the internet works - which is way beyond what we can cover in a few forum posts. There are many web sites and books that will provide an introduction if you really want to open that particular can of worms. Share this post Link to post Share on other sites Share this content via...
AlexAtkin   10 #42 Posted June 2, 2014 Also banks are probably not a good example in this case as I do not believe any online banking uses OpenSSL. Obviously it effectively functions the same but any commercial SSL software has extensive testing to prevent this sort of bug from happening.  This only happened because OpenSSL is written by volunteers and everyone using it assumed it was someone elses job to test it. Hopefully big businesses will not forget so quickly and so will continue to invest money in the OpenSSL project so they can hire some paid staff to check for these sorts of things. Share this post Link to post Share on other sites Share this content via...
Cyclone   10 #43 Posted June 2, 2014 That's not true at all, this was an undiscovered bug that didn't come out in testing, commercial SSL implementations are likely to also have undiscovered bugs. There is no evidence to suggest that commercial software is better in any way than volunteer written software.  ---------- Post added 02-06-2014 at 07:27 ----------  Could someone please tell me which server is referred to in accounts on this forum's topic of how the perpetrators of heartbleed get hold of someone's bank password. I've read everything that's been said so far so please let me explain my question a bit more. I read that there are many servers on the internet so which server in any given setup has access to the sender's bank password? Is it only the one closest to the sender or to the bank or all of them in the path? Does every server in any path between sender and bank put into RAM whatever password is being sent to the bank? Don't the senders drop out of the path after the sender's computer and the bank's computer are talking to each other? I hope I've made my question clear as I wouldn't like anyone to accuse me of arguing by asking any secondary question. Thanks guys.  There are many hops on the path your packets will travel, but the only 'server' in question is the one you (the client browser) is communicating with. It's a server, because it serves the request that your client makes. So if we were talking about a bank, it would be referring to the server with which you are communicating. The entire chain of communication is encrypted, only the banks server (or the forums server, which is a more likely scenario) has access to the data after unencryption. And it's this server, the one that runs the bank software, or the forum software, that would be targeted by hackers and the specially crafted request which causes the server to return a block of memory it shouldn't. Share this post Link to post Share on other sites Share this content via...
AlexAtkin   10 #44 Posted June 2, 2014 (edited) You are right, we do not KNOW that commercial software is better than volunteer written software, as a general rule. But people hold commercial software to a higher standard, its highly likely it gets more aggressive testing purely and simply because if a third-party DO find a fatal bug there is potential to sue the pants off them if it exposes your data.  I think this quote says it all really:  Because of the lack of resources, there is a backlog of hundreds of code submissions from programmers to the OpenSSL project that still haven’t been properly analyzed, Mr. Marquess said.  That is the only logical explanation for how he managed to let THE most common bug in C programming to get through into released code. I certainly would expect something like that to be caught sooner by a commercial project with more than one paid member of development staff. Edited June 2, 2014 by AlexAtkin Share this post Link to post Share on other sites Share this content via...
Cyclone   10 #45 Posted June 2, 2014 You have more faith in commercial software than I do. But then I get to see it from the inside. Share this post Link to post Share on other sites Share this content via...
AlexAtkin   10 #46 Posted June 2, 2014 You have more faith in commercial software than I do. But then I get to see it from the inside.  Not in general, but you have to hope that security software is given more respect. Share this post Link to post Share on other sites Share this content via...
Cyclone   10 #47 Posted June 3, 2014 I'd suggest that commercial security software is much more likely to be targeted by the security services who will 'convince' the company to insert a backdoor or give them a key. Share this post Link to post Share on other sites Share this content via...
dosxuk   10 #48 Posted June 3, 2014 I'd suggest that commercial security software is much more likely to be targeted by the security services who will 'convince' the company to insert a backdoor or give them a key.  As opposed to open source where they just plant someone on the dev team and insert it themselves?  As we now know, nobody will have checked it thoroughly to catch such attempts. Share this post Link to post Share on other sites Share this content via...
