Názor k článku Heartbleed bug: vážná zranitelnost v OpenSSL od GoogleFluSucks - No tohle je na urovni exploitu v prohlizeci,...

No tohle je na urovni exploitu v prohlizeci, ktere jsou (bohuzel) bezne. Utocnik musi dosahnout toho, ze obet navstivi kompromitovany web…

Prijde mi, ze na tuto knihovnu "nejakeho Jendy" bylo spolehano zejmena proto, ze to pouzivaji vsichni, tak to musi byt ok. http://permalink.gmane.org/gmane.comp.security.cryptography.randombit/3341: "Overall, I would say that yes, OpenSSL is a huge mess for application
developers. In that sense, it's very bad. On the other hand, it's the
most thoroughly reviewed open source crypto implementation, and hasn't
had very many security bugs found in the library per se. " Toto ("most thoroughly reviewed open source crypto implementation") byla asi jen dobra vira…

Jinak by tohle nezustalo 2 roky nepovsimnute:
/* Enter response type, length and copy payload */
*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
memcpy(bp, pl, payload);

// hodnotu promenne payload kontroluje utocnik