Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSL Holes Found In Critical Non-Browser Software

Posted by timothy on from the will-be-with-us-for-a-while dept.

Gunkerty Jeb writes "The death knell for SSL is getting louder. Researchers at the University of Texas at Austin and Stanford University have discovered that poorly designed APIs used in SSL implementations are to blame for vulnerabilities in many critical non-browser software packages. Serious security vulnerabilities were found in programs such as Amazon's EC2 Java library, Amazon's and PayPal's merchant SDKs, Trillian and AIM instant messaging software, popular integrated shopping cart software packages, Chase mobile banking software, and several Android applications and libraries. SSL connections from these programs and many others are vulnerable to a man in the middle attack."

1 of 84 comments (clear)

  1. libcurl is not insecure by wmbetts · · Score: 4, Interesting

    The compliant about libcurl is baseless. It's said VERY CLEAR in the documentation how to use the feature. If stupid devs can't figure it out that's hardly the fault of a library developer. I've never had an issue with it and I've used it in C, C++, and PHP.

    To repeat what I said on the mailing list. If I break my thumb with a hammer do blame the hammer or do I blame myself?

    As Yehezkel Horowitz pointed out on the mailing list.

    This is the quote from the FAQ
    >Q: How do I use cURL securely?
    >A: CURLOPT_SSL_VERIFYPEER must be set to TRUE, CURLOPT_SSL_VERIFYHOST must be left to its default value or set to 2. Anything >else, such as setting CURLOPT_SSL_VERIFYHOST to TRUE, will result in the SSL connection being insecure against a man-in-the-middle attacker.

    The real answer should be - cURL defaults are secure - no need for any code to use it securely.
    ==================
    In general I think the very short answer for this publication should be RTFM.

    The little bit longer answer would be -
    1. cURL is a C code library - you can't set a value to TRUE since this is not in the language syntax.
    So you has somewhere in your includes something like "#define TRUE 1" - you must be aware to this issue - this is an important part of the relations between computers/compilers/programmers.

    2. Before setting any option to cURL - you should read the very clear documentation about this option.
    ==================
    As to what we can do to make cURL even better (in order to protect unprofessional users that don't know what they are doing), We could make '1' to act as '2' (verify peer identity), and add a special magic value (i.e. 27934) that will act as todays '1' (check for CN existence but don't verify it).

    I think they owe everyone at libcurl an apology.

    --
    "Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware