Hacker News new | ask | show | jobs
by joshstrange 4439 days ago
Which might be true but seems odd to bring up in the blog post.

Also they say:

>> Many kinds of browser security bugs, such as the recent Heartbleed vulnerability, are prevented automatically by the Rust compiler.

Are they referencing reverse heartbleed here? Browsers themselves were not vulnerable to heartbleed, I don't even this they were vulnerable to reverse heartbleed.

There is no way Servo would have prevented the heartbleed bug, no browser could have, I feel like that sentence has no place in this blog post.
3 comments
metajack 4439 days ago
If the wording was "such as vulnerabilities similar to Heartbleed" would that make it better.

The point I was trying to make is that you can't make that kind of mistake in the safe Rust language. You will fail a bounds check even if you decide to trust client provided lengths.

link
joshstrange 4439 days ago
I think that would have made it better. I can believe that Rust protects you from the mistake that led to heartbleed but the statement read (to me at least) more like:

"Servo protects you from that really scary thing the internet has been atwitter with for the past week whereas other browsers leave you high and dry"

I know that is not what you said and probably not what you meant but it just seemed like an odd way to word IMHO.

link
metajack 4439 days ago
I updated the blog post with improved wording.
link
wnevets 4439 days ago
I believe its suggesting that Rust prevents the missing bounds check bug that caused heartbleed. Heartbleed is just latest example of such a bug.
link
chimeracoder 4439 days ago
> Browsers themselves were not vulnerable to heartbleed,

Clients could have been vulnerable to Heartbleed. Feel free to correct me on this, but I believe the only reason they weren't is that Chrome uses OpenSSL compiled without the heartbeat feature, and Firefox uses NSS.

link
azakai 4439 days ago
Both Firefox and Chrome uses NSS (although I believe Chrome has a potential plan considering using OpenSSL at some point in the future).
link
gsnedders 4439 days ago
Chrome on Android uses OpenSSL, FWIW. I have no idea whether it supported the Heartbeat extension though.
link