A major, critical security flaw in a key cryptographic program used by most flavors of GNU/Linux as well as other free/open operating systems has been reported. The bug, which appears in the Gnutls code, allows for undetectable man-in-the-middle attacks against affected systems. My operating system, Ubuntu, had an update waiting for it this morning that patched this. If you're running any flavor of Linux or BSD, you should immediately check for, and apply, any TLS patches offered through your distribution.
Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical "goto fail" flaw that for months put users of Apple's iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug.
"It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification," an advisory issued by Red Hat warned. "An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker."
GnuTLS developers published this bare-bones advisory that urges all users to upgrade to version 3.2.12. The flaw, formally indexed as CVE-2014-0092, is described by a GnuTLS developer as "an important (and at the same time embarrassing) bug discovered during an audit for Red Hat." Debian's advisory is here.
[Dan Goodin/Ars Technica]
On the eve of the Stuxnet attacks, half a decade ago, I found myself discussing what it all meant with William Gibson (I’d just interviewed him on stage in London), and I said, “I think the most significant thing about any of these sophisticated, government-backed attacks is that they will eventually turn into a cheap […]
The World Wide Web Consortium has embarked upon an ill-advised project to standardize Digital Rights Management (DRM) for video at the behest of companies like Netflix; in so doing, they are, for the first time, making a standard whose implementations will be covered under anti-circumvention laws like Section 1201 of the DMCA, which makes it […]
Yahoo today confirmed that it suffered a massive data breach that exposed information for at least 500 million user accounts in 2014. If you have a Yahoo account, the company says you should review all your online accounts for any suspicious activity.
If you own a dog, you’ve most likely heard of BarkBox – the monthly subscription box for dogs. What started as a simple idea to try out the subscription model on pet owners has since developed a cult following of dog lovers. If you haven’t given it a try yet, this one month free deal is the […]
With the iPhone headphone jack having gone by the wayside, we’re excited about the addition of the FRANKLIN Bluetooth Headphones in our store. These headphones are foldable so they’re easy to carry around, but most importantly, they pack impressive sound. Our biggest struggle with Bluetooth headphones is the worry of them dying at the worst moment. This pair lasts an impressive 8-10 […]
Evan Kimbrell, founder of the digital agency Sprintkick, recently released a series of online courses that feature some of the best advice we’ve come across. These courses are well worth your time, and will save you from making many typical mistakes down the line if you ever want to start your own business.With this Business […]