"McClanahan lamented, who went on to chide Google for hiring expensive security engineers but not offering financial support to the projects they criticize."
Couldn't be put any better.
GnuTLS, a widely used open source library implementing Transport Layer Security, last week fixed a bug that had been hiding in the code for almost two years that made resumed TLS 1.3 sessions vulnerable to attack. The TLS handshake requires two round-trips between client and server to establish a secure connection. Session …
LOL, they really think Google is going to pay for open source code it has no use for. And even for the latter it will just do what's in its interest and nothing more. Do they really believe Google is different from Microsoft & C.? At least Microsoft products are (were?) software applications, Google products are user profiles to be used to make money.
Allegedly is that any bugs etc. are visible and in the open so in theory lots of eyes will find them and report them or fix them. For this to be around for a few years means that this possibly has not been seen/noticed/exploited until now. Why have all these experts not noticed and called the developers out before now ? I'm pretty certain that GNU TLS is not developed by a lone individual in a shed somewhere, it's a fairly large collaborative operation so there will already have been a lot of eyes and project comms on the development of this feature so the herd must have thought it was OK, it wasn't just some rogue/lone developer's flawed thinking.
There is no mention of exploitations in the wild and the patches have been applied and released (I got Debian Security Notices on Saturday) so it's already been mitigated against.
At least it has been found, we have no ideas and no chances of finding out what nasties thare are in [BIGMONOLITHIC] INC.s libraries which we of course trust implicitly.
There is now far more open source code than competent eyes to peruse it and find bugs and bad implementations just reading the code - especially when it is complex one like cryptographic libraries or kernel code.
There will be more vulnerabilities found by automated probes than found by developers. Open source just makes easier to look at the relevant code when something wrong is spotted - but swome researchers have access to closed source code as well, albeit it's more difficult to obtain access.
Looking at someone else's code was never funny, and developers usually like to write new code, not read old one. Sure, sometimes while looking through the code to add yours you will spot something wrong, but if that is in code rarely looked at it can hide for a long time, like in this case.