http://ift.tt/1dZfvwH
Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.
...
As was the case with last week's critical encryption bug from Apple, the GnuTLS vulnerability is the result of someone making mistakes in source code that controls critical functions of the program. This time, instead of a single misplaced "goto fail" command, the mistakes involve errors with several "goto cleanup" calls. The GnuTLS program, in turn, prematurely terminates code sections that are supposed to establish secure TLS connections only after the other side presents a valid X509 certificate signed by a trusted source. Attackers can exploit the error by presenting vulnerable systems with a fraudulent certificate that is never rejected, despite its failure to pass routine security checks. The failure may allow attackers using a self-signed certificate to pose as the cryptographically authenticated operator of a vulnerable website and to decrypt protected communications. It's significant that no one managed to notice such glaring errors, particularly since they were contained in code that anyone can review.
http://ift.tt/1diTKuG
A vulnerability was discovered that affects the certificate verification functions of all gnutls versions. A specially crafted certificate could bypass certificate validation checks. The vulnerability was discovered during an audit of GnuTLS for Red Hat.
I hope to see the same level of outrage, but a higher level of understanding about the flaw in this thread than in the apple thread :-)
Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.
...
As was the case with last week's critical encryption bug from Apple, the GnuTLS vulnerability is the result of someone making mistakes in source code that controls critical functions of the program. This time, instead of a single misplaced "goto fail" command, the mistakes involve errors with several "goto cleanup" calls. The GnuTLS program, in turn, prematurely terminates code sections that are supposed to establish secure TLS connections only after the other side presents a valid X509 certificate signed by a trusted source. Attackers can exploit the error by presenting vulnerable systems with a fraudulent certificate that is never rejected, despite its failure to pass routine security checks. The failure may allow attackers using a self-signed certificate to pose as the cryptographically authenticated operator of a vulnerable website and to decrypt protected communications. It's significant that no one managed to notice such glaring errors, particularly since they were contained in code that anyone can review.
http://ift.tt/1diTKuG
A vulnerability was discovered that affects the certificate verification functions of all gnutls versions. A specially crafted certificate could bypass certificate validation checks. The vulnerability was discovered during an audit of GnuTLS for Red Hat.
I hope to see the same level of outrage, but a higher level of understanding about the flaw in this thread than in the apple thread :-)
via JREF Forum http://ift.tt/1dZfvwJ
Aucun commentaire:
Enregistrer un commentaire