| ||RFC 6520 and the OpenSSL Heartbleed bug share the same author|
22 points by JoelJacobson on Apr 9, 2014 | hide | past | web | favorite | 11 comments |
|I find it scary the git commit bd6941cfaa31ee8a3f8661cb98227a5cbcc0f9f3 which added support for TLS/DTLS heartbeats, was written by Robin Seggelmann <firstname.lastname@example.org> who is also one of the three authors of the RFC 6520 specification.|
The "payload" in RFC 6520 is extremely bad design from a security perspective, it fulfils no purpose, a bit suspicious someone with brains would deliberatly add unnecessary complexity to the SSL procol, which is already a monster.
Even more scary, the spec clearly points out "If the payload_length of a received HeartbeatMessage is too large, the received HeartbeatMessage MUST be discarded silently.", but someone the author of the spec failed to remmeber this when writing the OpenSSL implementation of the very same spec. Highly unlikely.
| Apply to YC