Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Not Just Apple: GnuTLS Bug Means Security Flaw For Major Linux Distros

timothy posted about 4 months ago | from the holes-to-plug dept.

Debian 144

According to an article at Ars Technica, a major security bug faces Linux users, akin to the one recently found in Apple's iOS (and which Apple has since fixed). Says the article:"The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical 'goto fail' flaw that for months put users of Apple's iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug." And while Apple can readily fix a bug in its own software, at least for users who keep up on patches, "Linux" refers to a broad range of systems and vendors, rather than a single company, and the affected systems include some of the biggest names in the Linux world, like Red Hat, Debian, and Ubuntu.

cancel ×

144 comments

Real question (1)

Anonymous Coward | about 4 months ago | (#46675779)

Who uses GnuTLS over OpenSSL anyway?!

Re:Real question (1, Troll)

GPLHost-Thomas (1330431) | about 4 months ago | (#46676101)

Anyone who can't get into the trap of the OpenSSL non-advertising licensing issue which is not compatible with the GPL license.

Re:Real question (1)

Anonymous Coward | about 4 months ago | (#46676913)

Correction, who uses GPL over BSD anyway?!

Re:Real question (0, Troll)

Anonymous Coward | about 4 months ago | (#46678815)

Sadly, hardly anyone. And ith will be free software's undoing.

Kids these days take too much for granted

Re:Real question (2)

MightyYar (622222) | about 4 months ago | (#46676109)

In my ports tree:
        audio/ario
        audio/pianobar
        deskutils/fusenshi
        deskutils/taskd
        deskutils/taskwarrior
        devel/gwenhywfar
        devel/gwenhywfar-fox16
        devel/gwenhywfar-gtk2
        devel/gwenhywfar-qt4
        devel/librelp
        devel/libvirt
        editors/abiword
        editors/emacs
        editors/emacs-nox11
        emulators/qemu
        emulators/qemu-devel
        ftp/filezilla
        ftp/wput
        ftp/wzdftpd
        games/pokerth
        irc/bitlbee
        irc/ctrlproxy
        irc/weechat
        japanese/jd
        lang/gnustep-base
        mail/anubis
        mail/claws-mail
        mail/libvmime
        mail/xfce4-mailwatch-plugin
        multimedia/ffmpeg
        multimedia/libav
        net/csync2
        net/glib-networking
        net/gtk-vnc
        net/morebalance
        net/net6
        net/remmina-plugin-vnc
        net/samba4
        net/samba41
        net/sixxs-aiccu
        net/tigervnc
        net/vino
        net-im/gloox
        net-im/jabber
        net-im/loudmouth
        net-p2p/gtk-gnutella
        net-p2p/ncdc
        news/nzbget
        security/gnomint
        security/gsasl
        security/libprelude
        security/libpreludedb
        security/openvas-libnasl
        security/openvas-libraries
        security/openvas-plugins
        security/prelude-lml
        security/prelude-manager
        security/py-gnutls
        security/shishi
        sysutils/heartbeat
        textproc/iksemel
        www/gurlchecker
        www/hydra
        www/mod_gnutls
        www/wwwoffle
        www/xombrero
        net-im/jabber.el
        editors/emacs-devel
        multimedia/vlc

And some linux ports of Acrobat Reader and CUPS libraries. There is also a module for Apache.

Re:Real question (1)

Aethedor (973725) | about 4 months ago | (#46678201)

Not GnuTLS, but PolarSSL. Reason for moving away from OpenSSL is because of it's horrible documentation. Or, better said, the lack of any documentation. Tried to implement SNI support in my open source web server (Hiawatha http://www.hiawatha-webserver.... [hiawatha-webserver.org] ), but there was no proper documentation or example code available. With PolarSSL, it was done within a day. All other SSL features were implemented in a more cleaner way. No ugly callback stuff. Even with the OpenSSL 1.0.0 release some time ago their documentation was still incomplete. I seriously don't now how to take a piece of software (specially libraries) serious with proper and complete documentation. I believe proper documentation and support is even more essential to software than code quality.

It's time (5, Funny)

Ol Olsoc (1175323) | about 4 months ago | (#46675783)

This if nothing else, should show everyone it's time to switch to Windows, the OS immune to exploits.

Ha! (0)

Anonymous Coward | about 4 months ago | (#46675829)

Funny :) I suppose we should switch all of our web-servers to IIS too?

Re:Ha! (1)

Cenan (1892902) | about 4 months ago | (#46676031)

Of course you blithering idiot, why do you think we have all this bloat lying around, if not for your protection?

Re:Ha! (3, Funny)

rubycodez (864176) | about 4 months ago | (#46676501)

and the blue screening of classic windows provides a hard shield against any rogue processes owning the machine for too long

Re:Ha! (0)

Anonymous Coward | about 4 months ago | (#46676971)

Funny :) I suppose we should switch all of our web-servers to IIS too?

Duh...Sharepoint!

Re:It's time (0)

INT_QRK (1043164) | about 4 months ago | (#46676007)

Mod + 5 "Freakin' Hilarious!"

Only when (0)

Anonymous Coward | about 4 months ago | (#46676105)

You pay 5.5 billion for a supprt contract for XP

Re:It's time (0)

Anonymous Coward | about 4 months ago | (#46676371)

The bug is cross platform...

And yet... (0)

Anonymous Coward | about 4 months ago | (#46675787)

Even if the distribution doesn't provide the update as quickly as desired...

The site can get the update directly from the project and apply it themselves.

Re:And yet... (5, Informative)

GPLHost-Thomas (1330431) | about 4 months ago | (#46676139)

Please define "as quickly as desired". Debian was fixed on the 3rd of March which is the date of the Debian Security Advisory [debian.org] , that's pretty quick to me. I wonder exactly why this article pops up now, when it's been a long time we've been all patched.

Re:And yet... (0)

Anonymous Coward | about 4 months ago | (#46676347)

"Issuing a patch from the distro" =/= "all systems patched in the wild, in tens of thousands of nodes across dozens of data centers around the world."

For all the speed with which Debian rolled out a patch, it'll still be months or years before this patch makes it into the wild on all the systems it's being used on.

Re:And yet... (0)

Anonymous Coward | about 4 months ago | (#46676409)

The flaw you just described is cross-platform ;)

Re:And yet... (4, Insightful)

houstonbofh (602064) | about 4 months ago | (#46678021)

For all the speed with which Debian rolled out a patch, it'll still be months or years before this patch makes it into the wild on all the systems it's being used on.

When you show me the OS that has a patch for idiot, lazy or incompetent operators, I will buy you a beer.

Re:And yet... (1)

Temkin (112574) | about 4 months ago | (#46677105)

Ok, the major "workstation" & server distro's patched. How about the embedded distro's? OpenWRT? DD-WRT? Do you run OpenVPN on your router? Does it even depend on GNUtls?

How about the hundreds of other embedded distro's? Bank ATMs?

Re:And yet... (3, Interesting)

houstonbofh (602064) | about 4 months ago | (#46678029)

Forget openwrt... How about all the ISP provided "Firewalls" that are total garbage, have one password, and can not be updated?

routers, package management, vpn (1)

merriam (16227) | about 4 months ago | (#46679509)

Generally you're right to point to router security, but I don't think it's relevant here. Router software package installation -- where you might think you want tls to fetch the package safely -- should be using package signatures rather than relying on tls.

Article writer Dan Goodin missed this point in his first draft. He thought he had a story, and failed at the fact-checking stage.

Would you rely on X.509 for a vpn? The implementation is irrelevant.

ATMs, no. Web banking really does have a problem, and it's much bigger than bugs in tls.

I think David Jao and others are right, and this is not news.

Old news (5, Insightful)

David Jao (2759) | about 4 months ago | (#46675789)

This is quite old news, why is slashdot only picking up on it now?

The impact of this bug does not compare to the goto fail bug. Most Linux distributions use OpenSSL for TLS. Even if a program links to GnuTLS, it may not use GnuTLS for certificate validation, and if it doesn't, then it's not affected by this bug (one example is Google Chrome). It's not like iOS where everything is required (by App Store rules) to use SecureTransport.

Re:Old news (1, Interesting)

postbigbang (761081) | about 4 months ago | (#46675897)

It indeed is the same level as the bug Apple fixed. Plentiful access methods are hinged on this lib and code.

It's non-trivial, and affects clients and servers in a wide breadth. Yes, were you watching, you'd have upgraded to fixed versions. Too many, however, don't know the difference between a CVE and a live hand grenade. Or they weren't watching. Same vulnerability result.

Re:Old news (1)

rubycodez (864176) | about 4 months ago | (#46676521)

you are silly, it's already been patched and moreover the gnu crap isn't widely used on web connected servers.

it's a non-issue

Re:Old news (0)

Anonymous Coward | about 4 months ago | (#46676605)

For several years, OpenSSL had no support for virtual hosts. This would have lead to many smaller multi-site servers using GnuTLS. While the feature has been added to OpenSSL, web servers are rarely running the latest and greatest.

Re:Old news (0)

Anonymous Coward | about 4 months ago | (#46676877)

Open SSL provides a library.

Why should it make any difference if it is used on a virtual host?

Re:Old news (2, Funny)

BasilBrush (643681) | about 4 months ago | (#46677531)

"The GNU crap". :-)

It's amazing how quite the FOSS community will throw Stallman under the bus, if the alternative is accepting parity with Apple's security bug.

Near Zero Impact (4, Informative)

marienf (140573) | about 4 months ago | (#46675911)

> Most Linux distributions use OpenSSL for TLS.
> Even if a program links to GnuTLS, it may not use GnuTLS for certificate validation,
> and if it doesn't, then it's not affected by this bug (one example is Google Chrome)

Agree. I've ran through everything that linked to gnutls on my distro (Arch) and although there's
quite a lot of binaries that do, most of those do not offer TLS connections (or any network connectivity at all), so my
guess (without knowing GNuTLS at all) is that they use some other feature offered by the library.

Of those that I know actually capable of SSL/TLS connections, all (also) link to OpenSSL.

So without making a definitive statement, AFAICT this should have near zero impact on GNU/Linux.

Re:Near Zero Impact (1)

Anonymous Coward | about 4 months ago | (#46676041)

so my guess (without knowing GNuTLS at all) is that they use some other feature offered by the library.

Probably because just like OpenSSL it provides implementations of hash functions (MD5 SHA1 etc), private key algorithms etc
http://gnutls.org/manual/gnutls.html#Using-GnuTLS-as-a-cryptographic-library

Re:Near Zero Impact (1)

Anonymous Coward | about 4 months ago | (#46677097)

Check the arch reverse dependencies - wget might be impacted. Pretty much nothing else that's popularly used is affected. As others have said, fortunately, this was patch last month.

Re:Old news (4, Funny)

ganjadude (952775) | about 4 months ago | (#46675917)

its a timmy post...

"Linux" refers to a broad range of systems and vendors, rather than a single company,

really? this is /. timmy, get with the program, everyone knows this because THIS YEAR will be the year of linux on the desktop

Re:Old news (5, Informative)

swillden (191260) | about 4 months ago | (#46675923)

This is quite old news, why is slashdot only picking up on it now?

Slashdot picked it up on March 4th [slashdot.org] , actually. This is a dupe.

The impact of this bug does not compare to the goto fail bug.

Agreed.

Re:Old news (2)

Sipper (462582) | about 4 months ago | (#46676051)

Most Linux distributions use OpenSSL for TLS. Even if a program links to GnuTLS, it may not use GnuTLS for certificate validation, and if it doesn't, then it's not affected by this bug (one example is Google Chrome). It's not like iOS where everything is required (by App Store rules) to use SecureTransport.

Another (non-issue) example is MTA (email) transfers; typically on Linux systems MTAs such as Exim use GnuTLS for TLS transfers, but purposely don't do certificate verification (but can be specifically configured to do so).

This is still a serious security issue for anything that does use GnuTLS for certificate verification of course, but off the top of my head I don't have a specific example of where this is done on the Linux platform. [There probably is an example to be found somewhere though.]

Re:Old news (2)

c4t3l (3606237) | about 4 months ago | (#46676089)

What is even funnier is that "one of the biggest names in the Linux world, "RedHat"" fixed the damn bug the day before the original article was published... Nice try idiots (read Ars Technica)...

Re:Old news (1)

maccodemonkey (1438585) | about 4 months ago | (#46676701)

It's not like iOS where everything is required (by App Store rules) to use SecureTransport.

It's worth noting there is 100% no such rule. There is no app store rule enforcing any certificate validation or networking technology. Almost all the app store rules these days are around content, not technical implementations. The only technical rule I can think of off the top of my head is no using private functions in Apple's libraries, which is a no brainer.

OpenSSL is widely used, and in fact has it's own section in Apple's documentation acknowledging so. From TFM:
"Further, although OpenSSL is commonly used in the open source community, it does not provide a stable API from version to version. For this reason, the programmatic interface to OpenSSL is deprecated in OS X and is not provided in iOS. Use of the Apple-provided OpenSSL libraries by apps is strongly discouraged.

To ensure compatibility, if your app depends on OpenSSL, you should compile it yourself and statically link a known version of OpenSSL into your app. Such use works on both iOS and OS X."

The More You Know(TM).

Re:Old news (1)

David Jao (2759) | about 4 months ago | (#46678123)

You missed one major technical rule: all browsers on iOS that support local rendering are required to use the system rendering engine.

Re:Old news (1)

maccodemonkey (1438585) | about 4 months ago | (#46678179)

You missed one major technical rule: all browsers on iOS that support local rendering are required to use the system rendering engine.

Yeah. To Google and Mozilla, this is probably a big deal. To a developer? As long as the content runs, it doesn't really matter. I've never really found an instance where I'm going "Gee, I really wish I was able to embed Chrome here."

It is a little frustrating UIWebView on iOS doesn't have all the DOM editing/inspection functions that WebKit on the desktop has, but it is pretty flexible and customizable. In relation to the original article, you can even override the connection functionality and probably override any certificate validation.

Apple's approach is also relevant because by making everyone use the same web engine from the same dylib, Apple can patch security problems in everyone's apps without having apps have to update one by one. It's likely why they have this rule in place.

Re:Old news (2)

hydrofix (1253498) | about 4 months ago | (#46677143)

This is quite old news, why is slashdot only picking up on it now?

Slashdot did pick it up [slashdot.org] earlier already when it was first announced. So it's a dupe, really.

Re:Old news (1)

neiras (723124) | about 4 months ago | (#46677499)

This is a dupe. We saw this on slashdot weeks ago.

I researched into this and OpenSSL' bugs, and.. (1)

Anonymous Coward | about 4 months ago | (#46678469)

The GnuTLS bug is freakishly easy to exploit. The OpenSSL bug at least requires you to modify your code to exploit the bug. This one is almost work-free.

If the same bug appears on OpenSSL, I would immediately disable all SSL related applications.

Thank god nothing uses GnuTLS...except aptitude.

(I am a security researcher who spent a day or 2 researching these 2 bugs)

Slow weekend over at Ars? (4, Informative)

Zontar The Mindless (9002) | about 4 months ago | (#46675803)

My distro patched this over a month ago.

Re: Slow weekend over at Ars? (0)

Anonymous Coward | about 4 months ago | (#46675875)

Not Ars's fault: "by Dan Goodin - Mar 4, 2014 6:56 pm UTC"

Re: Slow weekend over at Ars? (1)

Zontar The Mindless (9002) | about 4 months ago | (#46676199)

Heh, I might have known. Same day that openSUSE issued their patch, even.

Ladies & Gentlemen (-1)

Anonymous Coward | about 4 months ago | (#46676359)

For your entertainment pleasure: LIVE - absolutely live, Captain "PhRooT-LooP" http://slashdot.org/comments.p... [slashdot.org] hahahaha

Re:Slow weekend over at Ars? (-1)

Anonymous Coward | about 4 months ago | (#46675879)

Your defective mentally addled brain was never patched vs "PhRooT-LooPism" (lmao) http://slashdot.org/comments.p... [slashdot.org]

Re:Slow weekend over at Ars? (-1)

Anonymous Coward | about 4 months ago | (#46676975)

My friend,

Does stalking people and posting the same thing 50 times or more really give you pleasure or a sense of worth?

What have these folks you keep harassing done to you? I've never seen them do anything at all like what you keep doing.

What a sad life you must be living, so mired in sin and sorrow and darkness. How sad it must be to know you're only doing the work of the Devil.

Jesus Christ can help you out of this, you know, but you must let Him into your heart first. This is all it takes, my friend: Acknowledge Him as Saviour, and he will bring you out of the darkness. Just accept Him.

You know in your heart that Jesus and ONLY Jesus the Son of God can heal the sorrow that Satan has cast upon your soul. Why not open yourself to Him NOW?

Philippians 4:6-7 "Do not be anxious about anything, but in every situation, by prayer and petition, with thanksgiving, present your requests to God. And the peace of God, which transcends all understanding, will guard your hearts and your minds in Christ Jesus."

I will pray for you tonight.

Re:Slow weekend over at Ars? (1)

thoth (7907) | about 4 months ago | (#46677107)

Slow weekend at Ars? Had you actually looked at the Ars article, you may have noticed it was from one month ago, March 4 2014.

The fact it's here now (and is also a dupe of a previous article here) reflects more on Slashdot and its submitters and editors, than Ars.

Re:Slow weekend over at Ars? (1)

Zontar The Mindless (9002) | about 4 months ago | (#46677969)

Had you actually read this thread, you'd have seen that the article date has already been brought up, and I've already taken note of same. But, hey, thanks for playing.

Re:Slow weekend over at Ars? (-1)

Anonymous Coward | about 4 months ago | (#46678219)

We read you're a nutcase http://slashdot.org/comments.p... [slashdot.org]

There are rumours... (3, Interesting)

gnasher719 (869701) | about 4 months ago | (#46675809)

that Apple took notice of some accusations that the NSA managed to modiy some open source codebases, reviewed all code that was checked in at about the suspicious time frame, and found the "goto fail" bug that way. No idea whether this is true, but I'd be curious who checked in this bug.

Re:There are rumours... (3, Informative)

Megol (3135005) | about 4 months ago | (#46675859)

There are also rumors that all the worlds leaders are reptilians.

Re:There are rumours... (1)

swb (14022) | about 4 months ago | (#46676009)

You misspelled "suppressed truth".

Re:There are rumours... (1)

INT_QRK (1043164) | about 4 months ago | (#46676027)

Yep. That one's true, by the war.

Welcome to the New World Order (0)

Anonymous Coward | about 4 months ago | (#46676393)

This will be the last post you ever make. The black helicopters will swoop you up and take you to the area 51 where aliens will perform experiments on you on the set where they faked the moon landing.

And lmfao, the captia was "abortion"!

Re:Welcome to the New World Order (2)

Immerman (2627577) | about 4 months ago | (#46677455)

Who said anything about aliens? The reptilians are actually an earlier sentient species of Earthling, driven underground by the asteroid impact that ushered in the extinction of the dinosaurs. They're only meddling in primitive Human politics to keep us from interfering with their space program.

People use GnuTLS? (4, Insightful)

aleph (14733) | about 4 months ago | (#46675845)

Is anyone other than Debian zealous enough to use GnuTLS?

I rarely agree with Howard Chu of OpenLDAP fame, but... http://www.openldap.org/lists/... [openldap.org]

Re:People use GnuTLS? (0)

Anonymous Coward | about 4 months ago | (#46676209)

On my Fedora 18 system, the only thing that rpm shows needing GnuTLS is OpenConnect, and I don't use it, nor do I know how popular it is.

Re:People use GnuTLS? (1)

neiras (723124) | about 4 months ago | (#46677507)

Hey! I got the karma for posting that link in the first article, you... you... karma whore! ;)

Stop using GNU TLS (1)

Anonymous Coward | about 4 months ago | (#46675925)

And use OpenSSL. As awkward as it may be, it doesn't have the design flaws that GNU TLS does.

Re:Stop using GNU TLS (0)

Anonymous Coward | about 4 months ago | (#46676055)

OpenSSL's code is even more of a pile of indirected multiply abstracted crap than GNU TLS. Frankly both need to be refactored in separately and parallel for maximum simplicity and security.

(CAPTCHA: entrap ;-) )

Re:Stop using GNU TLS (1)

aleph (14733) | about 4 months ago | (#46676579)

OpenSSL is far far from great (the API, my eyes, they burn! don't get me started on openssl error codes/messages), but it's not quite the steaming pile of something smelly GnuTLS is.

Although it has improved somewhat over the past few years, at least on the "other SSL clients will actually interoperate" side of things.

Re:Stop using GNU TLS (1)

wiredlogic (135348) | about 4 months ago | (#46676919)

You should poke through the OpenSSL code some day. It's pretty stinky.

What the hell is this, timothy? (5, Insightful)

Anonymous Coward | about 4 months ago | (#46675935)

Are you trolling for an Apple-vs-Linux flame war? do you have a zealous attachment to Apple? or are you just dull?

1) This is old news, and the /. has already reported on it;

2) Hardly anything uses the GNU TLS library, and for the same reason people have been advising against Apple's rewrite of security libraries: because it's better to use something that's had over a decade of development and review and is widely deployed across a series of platforms;

3) You're arguing about the heterogeneity of the Linux platform as if it's a bad thing, while in fact this acts in Linux's favour. Even though the GNU project might like people to use gnutls, distros have chosen not to. Apple either discourages choice or makes it impossible, depending on what exactly you're targeting, which is why everything was affected.

Re:What the hell is this, timothy? (1)

sirlark (1676276) | about 4 months ago | (#46678077)

And what's this saying that heterogeneity of the Linux world will make fixing it more difficult? Fix it upstream, and most distros, and ALL the major ones will have it out a s a security update in less than a week.

yep, it is old news - already fixed in most Linux (2)

mpb (41407) | about 4 months ago | (#46675987)

Fixed at the beginning of March.
Example: http://advisories.mageia.org/MGASA-2014-0117.html

"Nothing to see here. Move on."

If GNUTls is unneeded, then create a NO-OP library (1)

Marrow (195242) | about 4 months ago | (#46675999)

Create a library with that name that does nothing, or logs errors for any entry points. Why is something being shipped that is insecure. I understand that the builds have to be changed. But the library could be replaced with a skeleton right now, can't it?
And maybe we would see that its not quite as in-active as people think.

Re:If GNUTls is unneeded, then create a NO-OP libr (5, Informative)

Sipper (462582) | about 4 months ago | (#46676079)

Create a library with that name that does nothing, or logs errors for any entry points. Why is something being shipped that is insecure. I understand that the builds have to be changed. But the library could be replaced with a skeleton right now, can't it?
And maybe we would see that its not quite as in-active as people think.

There are two distinct part of SSL/TLS; encryption and authentication. In this case it's only the authentication portion that has an issue, not the encryption portion. There are several places in which GnuTLS is used for encryption but not authentication such as MTA (email) transfers over TLS (at least most of the time).

As for why GnuTLS exists, AFAIK it's mainly because of licensing issues -- compiling a GPLv2+ program against OpenSSL gets into licensing troubles, so there needed to be a GPL compatible alternative.

Re:If GNUTls is unneeded, then create a NO-OP libr (1)

swillden (191260) | about 4 months ago | (#46676557)

There are two distinct part of SSL/TLS; encryption and authentication. In this case it's only the authentication portion that has an issue, not the encryption portion.

Unauthenticated public key encryption is useless against an active attacker (one able to modify traffic, rather than just eavesdrop on it).

There are several places in which GnuTLS is used for encryption but not authentication such as MTA (email) transfers over TLS (at least most of the time).

Huh? Even for SSMTP, certificates can -- and must! -- be checked.

Re:If GNUTls is unneeded, then create a NO-OP libr (1)

Sipper (462582) | about 4 months ago | (#46677091)

There are several places in which GnuTLS is used for encryption but not authentication such as MTA (email) transfers over TLS (at least most of the time).

Huh? Even for SSMTP, certificates can -- and must! -- be checked.

I think you mean ESMTPS. And no, usually TLS certificates are not checked by default (they can be, optionally); many TLS certificates used for ESMTPS are not signed by a CA, so there's nothing to check them against. There's also a new DANE protocol where domains that are using DNSSEC can specify TLS certificate details for mail in the DNS record for the domain, but this is currently not popular (supposedly only about 20 domains are using it). Other issues with this are that a number of DNS servers haven't implemented DNSSEC, and a number of MTAs haven't implemented the DANE protocol either.

And we don't want the situation where mail domains have to have thier TLS certificate signed by a CA, because that gets back into the mess of "which CAs are trustworthy" for mail purposes, paying fees for SSL certificate signatures, and so on. It's better to at least have encrypted email transfers than to only allow encrypted transfers from authenticated senders.

Re:If GNUTls is unneeded, then create a NO-OP libr (1)

swillden (191260) | about 4 months ago | (#46677391)

It's better to at least have encrypted email transfers than to only allow encrypted transfers from authenticated senders.

Better in what sense? Without authentication MITM attacks are trivial, making the encryption irrelevant.

If what you say is true (and it probably is) then the state of e-mail security is even worse than I thought it was. Most mail providers don't support TLS anyway, but without authentication it doesn't really matter if they do.

Re:If GNUTls is unneeded, then create a NO-OP libr (1)

Xylantiel (177496) | about 4 months ago | (#46678789)

MITM requires active interception to eavsdrop, wheras an unencrypted connection is vulnerable to passive eavesdropping. That is the sense in which an encrypted but not properly authenticated connection is "better". Also if the ID of the offered certificate is logged it is possible to audit for a MITM attack after the fact. According to Snowden, the NSA can crack 1024 bit certs' private keys. So really even properly verifying the cert is not secure depending on who your adversary is.

Re:If GNUTls is unneeded, then create a NO-OP libr (1)

Sipper (462582) | about 4 months ago | (#46679445)

If what you say is true (and it probably is) then the state of e-mail security is even worse than I thought it was. Most mail providers don't support TLS anyway, but without authentication it doesn't really matter if they do.

Actually it's quite common for email providers to support TLS transfers today. And the reason I think that's true is that one isn't required to purchase a CA-signed certificate to get that working. If we all had to purchase a CA-signed certificate, I think it would become more rare to see TLS transfers to/from privately-held servers.

If you look at the mail headers for email you receive, you're likely to find "smtps" or "esmtps" in the Received: lines which indicates that it was sent via a TLS transfer. Most mailing list traffic is often done without TLS, though there are exceptions -- Debian's mailing lists still use TLS transfers, which is good.

Wow, that made it seem 10 times worse, thanks! (1)

Marrow (195242) | about 4 months ago | (#46676673)

Yes its used, but only sometimes. Only for that mail stuff, and hey maybe only if someone else is handling authentication because we know thats broken. And we need the stuff there for legal reasons and we need it there as an alternative. Just in case we need to use it, even though we know its broken.

So tell me, why cant we have the parts we know are insecure issue a log each time they are run?

xubuntu seems patched (1)

Marrow (195242) | about 4 months ago | (#46676923)

libgnutls26:amd64 2.12.23-1ubuntu4.2

zless /usr/share/doc/libgnutls26/changelog.Debian.gz

gnutls26 (2.12.23-1ubuntu4.2) saucy-security; urgency=medium

    * SECURITY UPDATE: certificate validation bypass
        - debian/patches/CVE-2014-0092.patch: correct return codes in
            lib/x509/verify.c.
        - CVE-2014-0092

  -- Marc Deslauriers Mon, 03 Mar 2014 14:14:00 -0500

Re:Wow, that made it seem 10 times worse, thanks! (1)

Sipper (462582) | about 4 months ago | (#46677127)

So tell me, why cant we have the parts we know are insecure issue a log each time they are run?

I understand what you're trying to get at; you'd like to have a log of the failure. However unfortunately that wouldn't tell you what you needed to know in this case; if you did have logging on this, the result you'd get would be "client authenticated" even though it was possible that the authentication actually didn't succeed. :-(

The unfortunate truth is that software bugs happen, and bugs that report success are harder to find than bugs that cause a failure.

Nonsense (0)

K. S. Kyosuke (729550) | about 4 months ago | (#46676005)

"Linux" refers to a broad range of systems and vendors

Actually, Linux refers to the operating system kernel which has nothing to do with GnuTLS. (Wow, someone actually uses GnuTLS?)

Re:Nonsense (-1)

gl4ss (559668) | about 4 months ago | (#46676309)

it might mean that but it doesn't actually refer to that when people speak, so go drink your beers with rms.

Re:Nonsense (1)

Bengie (1121981) | about 4 months ago | (#46677415)

"Linux" refers to whatever people want it to refer to. Language is decided by the majority and you're the minority, meaning you're using it incorrectly.

Open source can't be patched? (1)

tomhath (637240) | about 4 months ago | (#46676017)

From the Really Bad Submission:

And while Apple can readily fix a bug in its own software, at least for users who keep up on patches, "Linux" refers to a broad range of systems and vendors, rather than a single company, and the affected systems include some of the biggest names in the Linux world, like Red Hat, Debian, and Ubuntu.

Gee. it sure is a problem that Red Hat, Debian, or Ubuntu couldn't just, you know, fix the bug and recompile the source code. Oh wait, they already did

FTFA

GnuTLS developers published this bare-bones advisory that urges all users to upgrade to version 3.2.12. The flaw, formally indexed as CVE-2014-0092, is described by a GnuTLS developer as "an important (and at the same time embarrassing) bug discovered during an audit for Red Hat." Debian's advisory is here.

NO LONGER AN ISSUE (0)

Anonymous Coward | about 4 months ago | (#46676019)

This is a problem only where sysadmins don't regularly update their systems.
It's Okay, boys: this is FIXED already.

Trust No One (-1)

Lawrence_Bird (67278) | about 4 months ago | (#46676063)

This story should prove once and for all that "open source" != secure and that "open source" does not provide any different level of security than closed source. Over eight years and well.. nobody noticed. Nobody cared. And if they did, they certainly were not up to the task at hand. You would think that code that is critical to a secure connection might, just might, get a little more thorough review than say.. the latest eye candy in kde or gnome? Where were all those eyes that we always hear about that will vet open source code? Was it just too hard? Or maybe it just didn't get them hard because it was not a sexy project?

And before RS marks me a troll - this is not to say closed source is inherently secure or less prone to bugs either. The point in this particular case is that any one trusting the veracity of code, crypto stuff in particular, is kidding themself and that in general the openess of code does not make it better.

Re:Trust No One (0)

Anonymous Coward | about 4 months ago | (#46676183)

That's why I use semaphore code, no freaking computers for me, as I couldn't investigate the hardware AND software myself, and, as you say, trust no one. But I CAN trust my semaphore flags. I sometimes use morse code, but I'm not sure if there are any bugs in the transmission of it.

Re:Trust No One (0)

Anonymous Coward | about 4 months ago | (#46677595)

I prefer Aldis Lamps. They're quite versatile - we just did a performance of Julius Caesar with them.

Re:Trust No One (2, Interesting)

mark-t (151149) | about 4 months ago | (#46676357)

The difference is that with closed source, the only exploits that are discovered by third parties and get fixed are those that have already been exploited, and already resulted in vulnerable systems.

With open source, exploits can potentially be discovered and reported by other parties *before* the exploit has actually ever been used, meaning that a fix is available at the same time that the exploit becomes public knowledge, and anyone who updates as soon as such an exploit becomes known has a higher level of confidence that their system will have not yet been compromised. The very fact that open source may also make it easier for a third party to find a way to exploit a previously unknown vulnerability also makes it easier for a third party to take action that will lead to the issue being corrected.

With open source, such critical bugs can and actually *will* be fixed, a sufficiently technically competent individual could even do so themselves, where with closed source, absolutely everyone is at the whim of the development team's schedule.

Re:Trust No One (0)

Lawrence_Bird (67278) | about 4 months ago | (#46676803)

The difference is that with closed source, the only exploits that are discovered by third parties and get fixed are those that have already been exploited, and already resulted in vulnerable systems.

This is an unprovable statement. You have no idea how many exploits are discovered by the authors or those in charge of maintaining closed code nor how many of those are fixed.

What your statement really is saying is that the only publicized exploits are those found by third parties. And this is, for the most part, the same with open source code.

With open source, such critical bugs can and actually *will* be fixed,....

Eight years later? And this in code needed for security. Are you saying my confidence in open source code review should be increased now?

Re:Trust No One (1)

mark-t (151149) | about 4 months ago | (#46676933)

EIght years is better than never.

This bug was fixed the same day that it became public knowledge. Unless the bug was discovered by the internal team, this will never be case with closed source.

Re:Trust No One (3, Insightful)

Arker (91948) | about 4 months ago | (#46676363)

Free/Open code is a necessary but not sufficient condition for security.

Re:Trust No One (1)

serviscope_minor (664417) | about 4 months ago | (#46676805)

This story should prove once and for all that ... "open source" does not provide any different level of security than closed source.

Um how? It proves that OSS is not perfect. No one ever claimed otherwise. An isolated incident proves nothing about the reltive security of the two.

OpenBSD (OSS) has had a couple of security flaws over the years. Windows 95 also had "some". Doesn't mean they're equally secure.

Re:Trust No One (0)

Anonymous Coward | about 4 months ago | (#46677111)

Maybe it just prove that you should use the tested variant even if you don't like the license. Most people use openSSL and even gnuTLS was fixed before it hit the news (a month ago). If it proves something, it proves that some people are too ideologically entrenched. There is really good and reviewed stuff out there and then come the GPL evangelists, writing stuff again and a little bit different just to make a point and sometime a little bit too different.

Re:Trust No One (0)

Anonymous Coward | about 4 months ago | (#46677417)

It's not a question of "liking" the licence, it's a question of legally being allowed to use it or not.

Editor's "editing" (1)

oldhack (1037484) | about 4 months ago | (#46676611)

And while Apple can readily fix a bug in its own software, at least for users who keep up on patches, "Linux" refers to a broad range of systems and vendors, rather than a single company, and the affected systems include some of the biggest names in the Linux world, like Red Hat, Debian, and Ubuntu.

Now, who was this comment for? Half the stories generate complaints about obcure acronyms and lack of context in the summary, but you manage to throw that in?

Re:Editor's "editing" (0)

Anonymous Coward | about 4 months ago | (#46676791)

I agree. Even if this is a problem for many distros, it still only gets fixed in one place and the distros pick up the fix.

Open Source commercial (1)

peppepz (1311345) | about 4 months ago | (#46677533)

And while Apple can readily fix a bug in its own software, at least for users who keep up on patches, "Linux" refers to a broad range of systems and vendors, rather than a single company, and the affected systems include some of the biggest names in the Linux world, like Red Hat, Debian, and Ubuntu.

And thanks to the LGPL license of GnuTLS, all the users have the possibility to upgrade their systems, independently of whether Red Hat, Debian, Ubuntu, Apple, Microsoft believe that maintaining those systems is still commercially convenient or not. GPLv3 would be better, as it would give the users the warranty of being able to actually install the updated code into their devices, which is important for non-PCs.

WoW Just in time for April 8th (0)

Anonymous Coward | about 4 months ago | (#46677769)

I'd hate to think some people are being bankrolled to vilify Linux just as Windows XP is dumped and new operating systems are under consideration.

What a coincidence given this is old news, patchable and SSL'able. How cynical of me.

Trolling timothy (0)

Anonymous Coward | about 4 months ago | (#46677785)

And while Apple can readily fix a bug in its own software, at least for users who keep up on patches, "Linux" refers to a broad range of systems and vendors, rather than a single company, and the affected systems include some of the biggest names in the Linux world, like Red Hat, Debian, and Ubuntu.

What a trolling comment. Each Linux distro is an OS in its own right. Red Hat, Debian and Canonical can also readily fix a bug in their distros and have a good record of releasing fixes fast when it comes to security issues.

March != April (1)

Just Brew It! (636086) | about 4 months ago | (#46678197)

Looks like someone can't tell the difference between "March" and "April". Hint: "April" is the one that starts with an "A".

The major distros posted patches for this flaw to their repositories within a day or two of it being made public. (Not to say that it isn't embarrassing for stuff like this to make it into the codebase; but at least it was fixed quickly once it was discovered.)

Microsoft PR Fail (3, Interesting)

darkonc (47285) | about 4 months ago | (#46678471)

I don't mind the heads-up about a little-used piece of Gnu software (as pointed out, most distros push OpenSSL), but I do mind astro-turfing the Microsoft PR line of "Nobody's responsible if Linux fails!"

The irony, of course, is that most people haven't read Microsoft's EULA which effectively says 'Not only are we not responsible if Windows fails, but we'll sue you if you try to fix it yourself.'

This is really gonna bite the hundreds of millions running XP who will be orphaned this year when Microsoft stops supporting it. Not only do they face the prospect, in a matter of weeks, of never again seeing security updates from Microsoft, but it will be illegal to even try to fix future bugs themselves (or hire a third party to do it).

This last bit is something that Linux users have as a right

Linux is not an Operating System (1)

therealprologic (2118298) | about 4 months ago | (#46679181)

Can we please stop refereing to Linux as if it's an Operating System!? We properly call Apple's Operating System OS X and their mobile variant iOS. We don't call it Darwin now do we? Come on guys! Get it right. This affects RHEL, CentOS, Debian, Ubuntu, Arch, CRUX, etc, etc and anyone else that happens to use the GNU TLS Software in question. Which brings me to another point... What is the software here that's actually affected? gnupgp?

goto (0)

Anonymous Coward | about 4 months ago | (#46679409)

Just try to write an assembler program without using a goto: B R12

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...