GnuTLS patches huge security hole that hung around for two years – worse than Heartbleed, says Google cryptoboffin
GnuTLS, a widely used open source library implementing Transport Layer Security, last week fixed a bug that had been hiding in the code for almost two years that made resumed TLS 1.3 sessions vulnerable to attack.
The TLS handshake requires two round-trips between client and server to establish a secure connection. Session tickets provide a way to resume previously established connections with only one round-trip. But this convenience comes at a cost – it's less secure, as described by Google cryptographer Filippo Valsorda.
The flaw allowed GnuTLS servers to use session tickets issued during a previous secure TLS 1.3 session without accessing the function that generates secret keys, gnutls_session_ticket_key_generate(). An attacker capable of exploiting this vulnerability could bypass authentication under TLS 1.3 and could recover previous conversations under TLS 1.2.
The bug, introduced in GnuTLS 3.6.4 (Sep. 24, 2018), was fixed in GnuTLS 3.6.14 (June 3, 2020). [...]
(Score: 2) by Mojibake Tengu on Thursday June 11 2020, @12:57PM (2 children)
In this context, I'd recommend to audit Openconnect VPN codebase.
I think all the computerized people of this planet deserve an explanation from Red Hat,
in whose benefitwhy they added such a backdoor at all.A very good explanation.
Rust programming language offends both my Intelligence and my Spirit.
(Score: 0) by Anonymous Coward on Thursday June 11 2020, @04:03PM (1 child)
An audit will only make you feel secure.
These encryption softwares, they are too important as tactcal and strategic targets, to be allowed to not have a deniable way to pervert them in realtime.
And should audit find bugs, and someone fixes them, next day 20 new similar bugs get introduced by spy asset implanted in the project.
In my experience, audits are a tool that is designed to not be able to win this battle, but to provide deniability and the "come on over y'all, the waters fine 'ere"-factor.
(Score: 0) by Anonymous Coward on Thursday June 11 2020, @07:38PM
You're wrong. An audit providing evidence of more malfeasance is enough to impact Red Hat (or anyone else that gets scooped up). Any contributor who repeatedly does things like this - which are transparently "add a deniable security hole" is either incompetent (I've had co-ops who wrote code like this) or malfeasant. Either way, look for evidence. If there's none, they might get a "well mistakes happen, that intern sucked" on their record in the IT-crowd-mindshare memo pad.
(Score: 3, Touché) by driverless on Friday June 12 2020, @01:38AM
Not surprising that the vuln is around session tickets, and we'll see many more of these in the future. The main driver behind TLS 1.3 was to make things easier for large content providers like Google, Facebook, Cloudflare, and others. You can see that in the design, every possible corner was cut in the pursuit of 1RTT or 0RTT where possible. Problem is that when you disregard security in order to get performance you end up with.., well, Intel is another example. Still, as long as Google's servers get to push out content more efficiently it's all been worthwhile.
(Score: -1, Spam) by Anonymous Coward on Saturday June 13 2020, @10:17AM
This has been a public service announcement from GNAA (GAY NIGGER ASSOCIATION OF AMERICA).
And now we return to our usual broadcast...
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.
Are you GAY [klerck.org]?
Are you a NIGGER [mugshots.org]?
Are you a GAY NIGGER [gay-sex-access.com]?
If you answered "Yes" to any of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!
Why not? It's quick and easy - only 3 simple steps!
First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE [imdb.com] and watch it.
Second, you need to succeed in posting a GNAA "first post" on SoylentNews [soylentnews.org], a popular "news for trolls" website
Third, you need to join the official GNAA irc channel #GNAA on EFNet, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today!
If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is EFNet, and you can connect to irc.prison.net or irc.colosolutions.net as one of the EFNet servers.
If you do not have an IRC client handy, you are free to use the GNAA Java IRC client by clicking here [nero-online.org].
If you have mod points and would like to support GNAA, please moderate this post up.
This post proudly brought to you by the GNAA president
________________________________________________
| ______________________________________._a,____ |
| _______a_._______a_______aj#0s_____aWY!400.___ |
| __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ |
| _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ |
| _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ |
| ________"#,___*@`__-N#____`___-!^_____________ |
| _________#1__________?________________________ |
| _________j1___________________________________ |
| ____a,___jk_GAY_NIGGER_ASSOCIATION_OF_AMERICA_ |
| ____!4yaa#l___________________________________ |
| ______-"!^____________________________________ |
` _______________________________________________'