Comment Re:Financial Institution Vulnerabilities? (Score 2) 56
I was checking the source code of the original and the "official" (not the Akamai) patch itself.
In fact, the original code (with the bug) is more ordered and clear than the patch. But in general, the issue is that OpenSSL is a very big and complex piece of code maintained by a group of people with a very small quantity of resources, but being used by many important organisations around the world.
The problem is not that the software is open source. The proprietary source also have the same level of problems, being the only difference that we can check the open sourced products and we have no idea what they did on the proprietary (a.k.a. closed) products. The problem is that the Internet has not a good international and neutral organisation to help verify the important parts that make it work and the users of the technology invest no resources to verify how well these products are made.
And yes, if a Bank has a router having OpenSSL with the bug, the router has the bug. Or it is better to say that the router has been with that level of bug for nearly two years by now, and that it is possible somebody was able to bypass the security WHEN the SSL protocol is exposed.
So ... there are many sources of problems, much more than the web servers, although these vulnerabilities will become real problems depending on how well defined is the security of the network infrastructure. Good practices let to reduced exposition to existing vulnerabilities, this is why it is important to know, to understand and to apply these good practices.
In fact, the original code (with the bug) is more ordered and clear than the patch. But in general, the issue is that OpenSSL is a very big and complex piece of code maintained by a group of people with a very small quantity of resources, but being used by many important organisations around the world.
The problem is not that the software is open source. The proprietary source also have the same level of problems, being the only difference that we can check the open sourced products and we have no idea what they did on the proprietary (a.k.a. closed) products. The problem is that the Internet has not a good international and neutral organisation to help verify the important parts that make it work and the users of the technology invest no resources to verify how well these products are made.
And yes, if a Bank has a router having OpenSSL with the bug, the router has the bug. Or it is better to say that the router has been with that level of bug for nearly two years by now, and that it is possible somebody was able to bypass the security WHEN the SSL protocol is exposed.
So