Comment by timschmidt

4 days ago

> I'm confused

The original paper which proposed the OpenSSL Heartbeat extension was written by two people, one worked for NSA and one was a student at the time who went on to work for BND, the "German NSA". The paper authors also wrote the extension.

I know this because when it happened, I wanted to know who was responsible for making me patch all my servers, so I dug through the OpenSSL patch stream to find the authors.

15 comments

timschmidt

tptacek 4 days ago

What does that paper say about implementing the TLS Heartbeat extension with a trivial uninitialized buffer bug?

timschmidt 4 days ago
About as much as Jia Tan said about implementing the XZ backdoor via an inconspicuous typo in a CMake file. What's your point?
- tptacek 4 days ago
  
  I'm asking what the paper has to do with the vulnerability. Can you answer that? Right now your claim basically comes down to "writing about CMake is evidence you backdoored CMake".
  
  9 replies →

aw1621107 4 days ago

Ah, that clears up the confusion. Thank you for taking the time to explain!

BigTTYGothGF 3 days ago

What's the original paper? The earliest thing I can find is an RFC.

tptacek 3 days ago

I'm pretty sure he meant the RFC. (Insert "The German Three" meme).