Nat! bio photo


Senior Mull.

Twitter RSS


Heartbleed an honest mistake ? I don't think so

The RFC is written by some guys from Münster. Also some guy from Münster implemented it. So design and implementation seem to be in the same hands. The design strikes me as peculiar. Why is there an opaque "payload" that the server needs to send back ? The RFC specifies that there is only an integer, that's being sent, that is of interest to the server.

Also the strange padding restrictions seem only to be there to force the server to keep the data and to copy it ?

Finally a heartbeat in TLS strikes me as a solution, for a problem that doesn't exist, on the wrong layer level.

A general problem of projects like OpenSSL is, that after the interesting problems are solved, the good coders leave and the noobs fuck it up with heaps of code of minor usefulness.