Posted on 03/05/2014 10:20:50 AM PST by ShadowAce
A source code mistake in the GnuTLS library – an open-source software building block used in a large number of different Linux distributions to handle secure Internet connections – could prove a serious threat to the privacy of Linux users, as developers rush to patch the vulnerability.
Nikos Mavrogiannopolous, the developer of GnuTLS, announced Monday in a mailing list message that he had implemented a fix to the source code that closes the loophole. The flaw would have enabled an attacker to spoof GnuTLS’ system for verifying certificates, exposing supposedly secure connections to stealthy eavesdropping.
By creating a specific type of fake certificate, an attacker could trick GnuTLS into accepting it as genuine, granting access to an otherwise-secure connection. This done, the intruder could monitor traffic flowing through the connection in plain text, and even interject code of his own, potentially opening further avenues of attack.
Mavrogiannopolous, who called the bug “embarrassing,” said that the issue was discovered during an audit performed on behalf of his employer, Red Hat. Some major Linux distributions have already acted to apply Mavrogiannopolous’ fix, according to a security advisory posted by LWN.net. Ubuntu, Debian, Fedora, Red Hat, Oracle, Slackware and SUSE have all rolled out updates aimed at closing the loophole.
The news comes days after Apple patched a similar issue in its own software, which had exposed iOS and OS X users to similar man-in-the-middle attacks. Thanks to the greater consumer reach of Apple’s products, that “goto fail” issue received widespread attention – with some commentators even ascribing sinister motivations to Apple’s apparent sluggishness in fixing the flaws.
If you don’t like the Unity interface you can always try the Kubuntu or Xubuntu varieties. They are probably identical underneath the desktop.
I’d have migraines.
It’s being worked on, but I can see it as an absolutely huge undertaking
Considering how many flaws have been found in each OS, how long it takes for a patch to be found, and what happens once you patch them?
M$ has nothing to crow about here.
The article misspells the name. Should be ...poulos not ...polous.
Indeed it is, though if they're using C (or C++) they're making an inherently arduous task even more difficult for themselves.
Ada/SPARK would probably be ideal, as Ada lends itself to these sorts of analyses fairly well and it has good low-level facilities.
A functional language would be excellent for implementing a large portion of the OS w/ verifiable properties, but there are efficiency issues (as well as that they're rather unsuited to low-level manipulations).
IMO we need the fundamental/base portions of our SW to be formally verified: OS, Compiler, the basics of the networking components (like DNS). If that's done the stability/reliability/security of everyday consumer-level software should be immensely improved.
This article is obviously untrue. Linux and Apple products are completely immune from viruses. Only Microsoft products are affected by hackers.
This isn’t a virus.
Green Hills Integrity, for instance?
The worst thing about getting a virus on Linux or Apple is the fact that neither one of them has their act together with regard to fixing and distributing the hotfixes to end users.
Microsoft learned this lesson a long time ago and built an effective system for this. MS is hit more often but that comes with the territo0ry when you own about 90% of the OS market.
Correction, not a virus, agreed. Its a security flaw. In other words it doesn’t have to propagate to other machines, the hole is already in place and ready to go.
The ruling Kings were less than 1% of any given population.
Now ask yourself, how much of the Internet rests on Linux servers? How much of our power grid and communications networks run on Linux-based appliances?
Now even Google ChromeOS based devices are little more than a fancy front-end for a Linux backend.
A few things to think about...
Good instance // yep.
It's not really a consumer-level OS, though. (The Multivisor looks really interesting.)
No, but it shows bug-free software can be had instead of the garbage these hacker types produce.
Very true — a couple of academics [lit. 2] produced Ironsides, which is a verified DNS, as a proof of concept that formal-verification tools [SPARK's theorem prover] were ready to be used in full applications.
?? ping ??
Sweet! Thanks for that. I work in the DO-178C arena and know what it takes to build bug-free, safety critical systems. It isn’t easy because it is ‘old school’ where most programmers just want to code.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.