But also, we gotta start writing stuff like this parser in safer languages where... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		matt2000 on March 1, 2017 \| parent \| context \| favorite \| on: Quantifying the Impact of “Cloudbleed” But also, we gotta start writing stuff like this parser in safer languages where this class of bug simply can't happen, right? Every time one of these breaches occurs, it's basically the same thing. "Data wasn't what we expected, we read a bunch of extra junk that had nothing to do with the input." It's kind of crazy it's acceptable at all. At this point, these kind of problems are on us as a community that we keep using unsafe tools. Every time we choose one of these languages we are implicitly trading security for performance (a.k.a. money).

tedivm on March 1, 2017 | [–]

If things aren't written in a "safe language" then they should at least be tested. Valgrind should have picked this issue up.

nikisweeting on March 1, 2017 | [–]

The lesson I really hope Cloudflare learns from this is to do thorough fuzz testing before deploying anything (and to write their parsers in a memory-safe language like Rust).

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact