GnuTLS patches huge security hole that hung around for two years – worse than Heartbleed, says Google cryptoboffin
GnuTLS, a widely used open source library implementing Transport Layer Security, last week fixed a bug that had been hiding in the code for almost two years that made resumed TLS 1.3 sessions vulnerable to attack.
The TLS handshake requires two round-trips between client and server to establish a secure connection. Session tickets provide a way to resume previously established connections with only one round-trip. But this convenience comes at a cost – it's less secure, as described by Google cryptographer Filippo Valsorda.
The flaw allowed GnuTLS servers to use session tickets issued during a previous secure TLS 1.3 session without accessing the function that generates secret keys, gnutls_session_ticket_key_generate(). An attacker capable of exploiting this vulnerability could bypass authentication under TLS 1.3 and could recover previous conversations under TLS 1.2.
The bug, introduced in GnuTLS 3.6.4 (Sep. 24, 2018), was fixed in GnuTLS 3.6.14 (June 3, 2020). [...]
(Score: 3, Touché) by driverless on Friday June 12 2020, @01:38AM
Not surprising that the vuln is around session tickets, and we'll see many more of these in the future. The main driver behind TLS 1.3 was to make things easier for large content providers like Google, Facebook, Cloudflare, and others. You can see that in the design, every possible corner was cut in the pursuit of 1RTT or 0RTT where possible. Problem is that when you disregard security in order to get performance you end up with.., well, Intel is another example. Still, as long as Google's servers get to push out content more efficiently it's all been worthwhile.