Options
Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
IvanIV
Posts: 30,310
Forum Member
✭✭✭
Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
"The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package."
So Apple users weren't that special after all Now something for Windows and we can all congratulate each other
"The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package."
So Apple users weren't that special after all Now something for Windows and we can all congratulate each other
0
Comments
Anyway Linux tends to be more secure because you always have to provide the root password before any software gets installed, or any change gets made to system files.
Plus the userbase is so small that nobody bothers writing any malware for it.
And it seems using a arch based distro according to the OPs link.
offers better security than Debian.
Good job I use arch then.
Unfortunately this vulnerability has nothing to do with installing software. It would in theory allow anyone to view the plain-text version of any 'encrypted' data sent to any websites running on a vulnerable Linux system.
The latest version of what though? That's what my befuddled brain couldn't glean from the article.
I'm actually writing this from my Arch install, and it's on version 3.12.8 of the kernel, whereas all my Ubuntu/Debian based ones are on 3.11 something.
Is that what it's talking about?
Just because it's the most secure, this doesn't mean that it's immune to viruses. This might be the first virus in goodness knows how long that's been written for it.
Edit: I'm sure the writers of these OSs will get straight onto this.
Ah, I get it now.
It's not clear if it was exploited or not. You do not always announce with fanfares that you were able to intercept something. It might be better to keep listening and keep quiet about it. Given it's all open source, anybody with enough of dedication and knowledge could have discovered it long time ago and used it.
Password protection/UAC has nothing to do with this, the code contains an error and may report it successfully verified a certain entity even when its certificate is invalid and the check should have failed. Depends on what follows it can have fatal consequences.
And is the vulnerability closed by GNUTLS version 3.2.12?
http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7341
http://www.tomsguide.com/us/critical-linux-flaw-gnutls,news-18406.html
Seems Ubuntu/Mint users shouldn't have to wait too long for a patch?
looks like it
** libgnutls: Corrected certificate verification issue (GNUTLS-SA-2014-2)
** libgnutls: Corrected issue in gnutls_pcert_list_import_x509_raw
when provided with invalid data. Reported by Dmitriy Anisimkov.
Firefox and its friends use NSS and other stuff uses OpenSSL.
Its worth pointing out that GnuTLS is still used in software though. Even wireshark, though i'm not sure what for!