Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bug In the GnuTLS Library Leaves Many OSs and Apps At Risk

Posted by Soulskill on from the feeling-secure-is-the-biggest-bug dept.

New submitter williamyf writes "According to this article at Ars Technica, '[A] bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn't be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers.' The coding error may have been present since 2005."

5 of 231 comments (clear)

  1. We all knew it was coming... by neiras · · Score: 5, Informative

    From February 16 2008: Howard Chu of OpenLDAP: GnuTLS Considered Harmful

    Looking across more of their APIs, I see that the code makes liberal use of strlen and strcat, when it needs to be using counted-length data blobs everywhere. In short, the code is fundamentally broken; most of its external and internal APIs are incapable of passing binary data without mangling it. The code is completely unsafe for handling binary data, and yet the nature of TLS processing is almost entirely dependent on secure handling of binary data.

    Incredible that GnuTLS is used anywhere at all. It's just mind boggling.

  2. Re:AHAHAHAHAH by lister+king+of+smeg · · Score: 5, Interesting

    "Open Source Software is more secure because the code can be reviewed."

    That's why this bug has existed since 2005. gg, guys. Thumbs up.

    What do you mean? The many eyes found said bug that is why we are reading about it if thay had not it would still be sitting there undiscovered. Ever wonder how many bug go completely unnoticed in proprietary software because no one actually reads said code? Like for example a Windows bug affecting all 32 bit Windows OS's for 17 years: http://www.computerworld.com/s....

    --
    ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
  3. "Error" is Plausable Deniability by Jeremiah+Cornelius · · Score: 5, Interesting

    Hot on the heels of Apple's SSL/TLS implementation "flaw" across all stacks, and the Snowden revelations of NSA infiltration for weakening crypto?

    You don't have to be wearing Tin Foil, just to become a little suspicious...

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  4. Re:AHAHAHAHAH by bonch · · Score: 5, Informative

    The bug was found due to observed behavior, not due to a code review.

  5. Incompatible license by tepples · · Score: 5, Informative

    The OpenSSL license is not compatible with the GNU General Public License.