A quick and dirty translation by me of a full page ad that was published in two big newspapers in Germany a few days ago.DISCLAIMER: NOT AN OFFICIAL TRANSLATION!
This is what a german software company owner has to share. Please cue #doublefacepalm
German version and interesting discussion (in german) at https://plus.google.com/112648813199640203443/posts/W2MfRKwTtrw
"Internet security and Heartbleed
My name is Klaus Brandstätter . I am a certifiedengineer and will turn 60 year. More than 40 years ago I've learned programming in high school and have written more than a million lines- of-code since then myself . I am also CEO of the HOB GmbH & Co. KG .
I have looked at the source code of Heartbleed and understood what is happening. An attacker can read up to 64 kilobytes of random memory, which may contain passwords , certificates, secret keys , the decrypted message. During attacks it can also crash the web server , so you could also perform a denial- of-service attacks when exploiting Heartbleed .
The fundamental principle for us is: everything the user types must be carefully examined . This is a common principle, known to all, including the developers of websites. Furthermore, there is the principle that everything that comes from the network must be thoroughly checked - especially when it comes from the Public Internet , maybe sent by hackers. The developer in question has not followed this (simple) principle . So the developer in question is not overly intelligent, and does not have the necessary basic knowledge . That is one side of the problem.
How is it possible that such a qualified developer is allowed to work on highly sensitive security software? That's the responsibilty of otherpeople . OpenSSL is open source software. Development is usually done without pay, as a hobby, in addition to the normal job. Such open-source developers are often only 17 years old.
There are excellent open source solutions. But the vast majority of open source software is of really poor quality. Open source projects are managed . How is OpenSSL managed ? How can management (no matter how it is organised) allow unqualified hobbyists to help develop highly sensitive security software ? To program a software that somehow works can be done by low-skilled developers. Creating quality is a different thing.
If one uses such software of inferior quality, then you have a security risk. It also means higher costs to operate the solutions, because these solutions will often not work - especially when a specific event occurs.
Some successful Internet companies have the following business philosophy: take as much open source software as needed and available, combine it with their own ideas, perhaps add a few lines of own code. The whole thing is done fast and offers many functions. Exactly what users want. Then it is packed into a fancy box (the box is called an "appliance" ) and off you go selling it. Some companies in Silicon Valley have become very large using this principle. And those companies use OpenSSL for encryption - without checking the quality in any way.
A chain is as weak as its weakest link. That's what all learn that deal with quality management . Where is the quality management when OpenSSL is used? This approach is irresponsible. Conclusion: all the companies using solutions based on OpenSSL are acting in an irresponsible way.
Heartbleed has now been removed from OpenSSL. But who knows how many more problems still lie dormant in OpenSSL ?
HOB solutions are based on HOB SSL , developed by permanently employed developers at HOB GmbH & Co. KG . All employees must pass difficult tests before they are hired at HOB . HOB SSL was developed and tested by highly qualified developers. This took us many years.
The HOB programs are reviewed with expensive tools , these tools examine software in a way no man could do on his own (without tools ) . (Open -source developers have no expensive tools available. ) HOB SSL has been certified by BSI according to Common Criteria EAL 4 + . Achieving this level of certification was complicated and took several years. HOB had to demonstrate theoretically and practically that HOB RD VPN , based on HOB SSL is secure.
For the theoretical proof we worked with Dr. Richard, professor of Mathematics (University of Erlangen -Nuremberg ). The documentation for the certification comprises approximately 1,500 pages . Of course this has cost us a lot of money.
Only few security components reach the certification level of Common Criteria EAL 4 + . Common Criteria is an international standard (of the industrial nations ) on which the NSA also collaborates. The NSA knows what is secure. They don't want to be hacked or being spied on themselves. HOB SSL has managed to achieve this Common Criteria EAL 4 + certification level.
At HOB we strictly ensure that security- critical products do not fall into the wrong hands This applies to the finished products. And even more so for the source code which only selected people are allowed to see.
What does the reader think about using Open-Source solutions for security-critical functions, where everyone who wants to hack it can do so comfortably by looking through the source code to see how it works and find weak spots to exploit?
HOB is very aware of the responsibility towards customers and users and acts accordingly.