Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
[Via Ars Technica]
Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.
The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn’t be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers.
The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical “goto fail” flaw that for months put users of Apple’s iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug.
This bug may well have been there since 2005! The cry of Open Source is that, because so many eyeballs can see everything, critical bugs get found.
In contrast to closed source systems, such as Apple’s OS.
The reason these bugs were found was because people were specifically looking for them. Testing or eyeballs did not reveal them. Because Snowden released slides indicating that the NSA was specifically getting client data from various OS, including Windows, iOS and Linux.
This bug actually makes it easier for someone to get the information than Apple’s bug. For the hacker to use Apple’s bug, they had to be on the same network. But this one does not require that be the case.
You can bet that the NSA has been using this bug to get ahold of encrypted data from anyone using the appropriate Open Source tools.
All in systems that everyone supposedly can review.
The failure may allow attackers using a self-signed certificate to pose as the cryptographically authenticated operator of a vulnerable website and to decrypt protected communications. It’s significant that no one managed to notice such glaring errors, particularly since they were contained in code that anyone can review.
This was only found when some of the Open Source companies held audit reviews, probably to check out the very bug Apple found,
There was lots of criticism for Apple’s supposedly poor coding and bad error testing. But here we have something that has been a part of Linux for perhaps 10 years. Where was all the great checking by all those eyeballs?
I have to say that if Snowden’s revelations only helped Apple and others to identify these bugs (simply because they looked) he should be welcomed as a whistleblower. Because these are really devastating security flaws.