Skip to comments.GnuTLS: Big internal bugs, few real-world problems
Posted on 03/07/2014 4:20:54 AM PST by ShadowAce
According to some reports you'd think the security sky was falling. Yes, GnuTLS, an open-source "secure" communications library that implements \Secure-Socket Layer (SSL) and Transport Layer Security (TLS), has serious flaws. The good news? Almost no one uses it. OpenSSL has long been everyone's favorite open-source security library of choice.
Red Hat discovered the latest in a long-series of GnuTLS bugs .
Latest? Yes, latest.
You see, GnuTLS has long been regarded as being a poor SSL/TLS security library. A 2008 message on the OpenLDAP mailing list had "GnuTLS considered harmful" as its subject which summed it up nicely.
In it, Howard Chu, chief architect for the OpenLDAP, the open-source implementation of the Lightweight Directory Access Protocol (LDAP), wrote, "In short, the code is fundamentally broken; most of its external and internal APIs are incapable of passing binary data without mangling it. The code is completely unsafe for handling binary data, and yet the nature of TLS processing is almost entirely dependent on secure handling of binary data. I strongly recommend that GnuTLS not be used. All of its APIs would need to be overhauled to correct its flaws and it's clear that the developers there are too naive and inexperienced to even understand that it's broken."
With GnuTLS's most recent and perhaps biggest failure to date, Red Hat found that GnuTLS, when shown a specially rigged kind of bogus SSL certificate, would fail to see that the certificate was a fake.
The project itself, despite its name, is no longer associated with GNU or GNU/Linux. Its chief designer, Nikos Mavrogiannopoulos, had "a major disagreement with the Free Software Foundation's (FSF) decisions and practices. He then made it an independent project.
None of this has stopped some people from using GnuTLS. The usual reason is that its license, the Lesser Gnu Public License (LGPL), is considered more compatible with GPL licensed software such as Linux, than OpenSSL's BSD style open-source license.
There have been claims that "more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations." This statement was based on a single Debian user group discussion.
When I looked at this message thread the examples cited were multiple Debian network programs such as exim4, a mail transfer agent; cups, a print server; wget, a file retrieval program; and network-manager, a program used to set up network connections, relied on GnuTLS. Doing my digging I also found that Ubuntu uses GnuTLS with OpenLDAP. Whoops!
Now, make no mistake about it these are all important programs but none of them are used for financial transfers or other situations where a man-in-the-middle attack is likely to cause significant damage. In short, while the code's a real mess, it's highly unlikely anyone in danger of losing credit-card numbers to it. The Apple iOS and Mac OS X goto problem was much more serious.
In the real world almost all open-source based Web servers use OpenSSL. Of the two most popular open-source Web browsers Apache uses OpenSSL by default and nginx requires OpenSSL.
To sum up, no one should be using GnuTLS. There are far better security programs out there starting with the far more popular OpenSSL. If for some reason you must use GnuTLS for now, either upgrade to the latest GnuTLS version (3.2.12) or apply the GnuTLS 2.12.x patch. Oh, and developers? Start weaning your programs from GnuTLS, you, and your users, will be glad you did.
I use OpenLDAP with OpenSSL on my home lab, and I love it. Microsoft’s Active Directory is obviously the industry standard for enterprises, but OpenLDAP provides the same functionality without some of the shiny interfaces. It’s all the same engine underneath.
Yesterday’s hullabaloo about the GnuTLS stuff was pretty funny since most of us who use these products knew that GnuTLS was crap and wondered why the Internet was making it out to be such a big deal.
Open source folks protect their own. That’s the beauty of it.
I have been using Xubuntu for several years. Largely because it came packaged with XFCE, which I like very much.
I find that my version which failed to upgrade properly the last time I tried shows signs of possible system compromise.
The package I am running has “libcurl3-gnutls” included in it. The Xubuntu version is “7.21.3-1ubuntu1.5”.
I do no banking with this computer.
Have been thinking about switching to Fedora. I ran RedHat for years and liked it. I switched to XFCE for the first time under RedHat 8.0
What OS do you run? What OS do you think has the best security, overall?
It is a pain to transfer the data files for a clean reinstall but I think I am about to that point.
As far as which one? It all depends on how you set it up--Most linuxes are pretty much the same in that regard.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.