A customer noticed that we use Bouncy Castle internally and asked us whether the Heartbleed vulnariblity affects our libraries.

A customer noticed that we use Bouncy Castle internally and asked us whether the Heartbleed vulnariblity affects our libraries.

Short answer: No

Long answer:

We use Bouncy Castle for encrypting and decrypting data only, not for SSL connections. In addition, the Heartbleed bug is part of OpenSSL, not of Bouncy Castle. Although Bouncy Castle does implement SSL, it is a different implementation than OpenSSL. This means that the bug is part of a library we do not use.

The Heartbleed bug is a manifestation of the C buffer length checking issue. This bug allows attackers to read sensitive data that is located outside the bounds of the affected buffer.

Our code is 100% managed. We do not use unsafe blocks like these:

unsafe static void FastCopy(byte[] src, byte[] dst, int count) { // unsafe context: can use pointers here. }

This means that reading memory out of bounds is impossible. The CLR will do bounds-checking before accessing an array and it will throw an exception when anyone tried to access memory outside these bounds. This means that no sensitive information can be obtained this way.