Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
The link above takes you to an article talking about a cryptography library that supposedly has a vulnerability that allows people to eavesdrop on your SSL and TLS communications on websites and applications that make use of the GnuTLS library.
From the article:
“The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn’t be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers.”
Oops! Now this does not mean the Linux kernel is the problem, but this does go to show you that one library can bring security to its knees (that goes for any operating system, not just Linux).
This also shows that “many eyes” does not equal security! Remember that ALL software will have security problems, whether it be Windows, MacOS X, Linux, UNIX, e-mail servers, DNS servers, forum software (phpBB, vBulletin, etc.), and even desktop word processors can have bad code that present a security risk(s) to your computer.
Worse, the open source community was warned a head of time (back in 2008 !) that GnuTLS was not safe to use (http://www.openldap.org/lists/openldap-devel/200802/msg00072.html)! Did they not the get message? Did they ignore the warning? Who knows!
Posted in Computers, Internet and Servers, Operating Systems, Software