Heartbleed

Posted on April 9, 2014 by gerv

For the good of the Internet, Someone needs to write an SSL library in Rust. Who would be up to such a task?

9 thoughts on “Heartbleed”

Ludovic on April 9, 2014 at 3:45 PM said:

Hum why not just push NSS as a good alternative ?
- Ms2ger on April 9, 2014 at 4:05 PM said:
  
  Is it? Serious question. I feel like it might be better than OpenSSL, but that’s not a high bar. It’s still written in C, though, with all the issues that involves.
gerv on April 9, 2014 at 4:09 PM said:

Aha… a starting point.
pd on April 9, 2014 at 5:31 PM said:

Why are you calling for an OpenSSL replacement to be written in Rust? Please elaborate.
- gerv on April 9, 2014 at 5:47 PM said:
  
  Rust is a language with, among other things, guaranteed memory safety. Entire classes of programming errors which have plagued C for decades are not possible by design in Rust. That’s the point, and that’s why Mozilla’s next-generation browser engine is going to be written in it. I am suggesting that we apply some of those excellent qualities to try and make an SSL library that doesn’t have buffer overruns, uninitialized variables, etc.
  - njn on April 11, 2014 at 3:37 AM said:
    
    And Rust is designed to make it be straightforward to write code that’s as fast as equivalent C++, which is important.
squib on April 9, 2014 at 7:29 PM said:

Using Rust wouldn’t do a whole lot when OpenSSL *went out of their way* to be vulnerable: http://article.gmane.org/gmane.os.openbsd.misc/211963
- Valentin on April 10, 2014 at 12:57 AM said:
  
  That’s really scarry stuff. Seems this video was spot on:
  http://ftp.heanet.ie/mirrors/fosdem-video/2014/Janson/Sunday/NSA_operation_ORCHESTRA_Annual_Status_Report.webm
Alex Bishop on April 9, 2014 at 9:54 PM said:

There was a discussion about this on the Rust subreddit: http://www.reddit.com/r/rust/comments/22gppc/when_life_hands_you_lemons_is_this_rusts_time_to/

Hacking for Christ

Gervase Markham

Heartbleed

9 thoughts on “Heartbleed”