[cryptography] Is it time for a revolution to replace TLS?
watsonbladd at gmail.com
Wed May 28 10:29:17 EDT 2014
On Wed, May 28, 2014 at 3:24 AM, Michael Rogers
<michael at briarproject.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> On 28/05/14 10:54, Mansour Moufid wrote:
>> On Fri, 2014-04-25 at 09:28 -0700, Tony Arcieri wrote:
>>> There's an entire class of memory safety bugs which are possible
>>> in C but not possible in Rust. These also happen to be the class
>>> of bugs that lead to Heartbleed-like secret leakage or remote
>>> code execution vulnerabilities.
>> It seems we've come to the programming version of the possibilism
>> versus "revolution or nothing" debate. In politics anyway, the
>> latter attitude leads to nothing rather than revolution.
> I don't think anyone's suggesting that we should rewrite all existing
> software in Rust (the equivalent of revolution). But it's quite
> possible to stop writing new software in C. Then we just have to wait
> 50 or 100 years for most of the existing C code to fall out of use,
> and we'll have a somewhat improved security landscape. Hooray!
That's already started happening. Microsoft has been pushing .NET in
various guises for a while. Most desktop applications don't depend
that closely on the underlying C APIs of the operating system. On the
server side C seems to be losing ground: not in terms of nginx or
Apache, but rather custom servers, where C/C++ is not the only choice
Something like Google's Chromebook is probably exposing much less C to
the network then otherwise. Unfortunately there is a catch: Google
gets to know what you do with it. One can also do incremental
replacement: replace Adobe Reader with something safe, and you close a
big attack vector. Why does pine need to be written in C and not Ada
> I need a drink.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> -----END PGP SIGNATURE-----
> cryptography mailing list
> cryptography at randombit.net
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither Liberty nor Safety."
-- Benjamin Franklin
More information about the cryptography