back to article GnuTLS patches huge security hole that hung around for two years – worse than Heartbleed, says Google cryptoboffin

GnuTLS, a widely used open source library implementing Transport Layer Security, last week fixed a bug that had been hiding in the code for almost two years that made resumed TLS 1.3 sessions vulnerable to attack. The TLS handshake requires two round-trips between client and server to establish a secure connection. Session …

  1. IGotOut Silver badge

    Well said...

    "McClanahan lamented, who went on to chide Google for hiring expensive security engineers but not offering financial support to the projects they criticize."

    Couldn't be put any better.

    1. Anonymous Coward
      Anonymous Coward

      Re: Well said...

      LOL, they really think Google is going to pay for open source code it has no use for. And even for the latter it will just do what's in its interest and nothing more. Do they really believe Google is different from Microsoft & C.? At least Microsoft products are (were?) software applications, Google products are user profiles to be used to make money.

    2. chasil

      2008 GnuTLS criticism.

      This chatter has been going on for quite a long time.

  2. RyokuMas

    One rule for them...

    And where, oh Google, is the usual caveat of "you've got 90 days to fix this before we tell the world"?

    ... or maybe it's because you don't have anything that competes with this directly???

    1. Frederic Bloggs

      Re: One rule for them...

      Can one now compile exim out of Canonical's box and have it able to correctly recognise and then handle connections with EC certificates?

  3. Lunatic Looking For Asylum

    One of the advantages of open source..

    Allegedly is that any bugs etc. are visible and in the open so in theory lots of eyes will find them and report them or fix them. For this to be around for a few years means that this possibly has not been seen/noticed/exploited until now. Why have all these experts not noticed and called the developers out before now ? I'm pretty certain that GNU TLS is not developed by a lone individual in a shed somewhere, it's a fairly large collaborative operation so there will already have been a lot of eyes and project comms on the development of this feature so the herd must have thought it was OK, it wasn't just some rogue/lone developer's flawed thinking.

    There is no mention of exploitations in the wild and the patches have been applied and released (I got Debian Security Notices on Saturday) so it's already been mitigated against.

    At least it has been found, we have no ideas and no chances of finding out what nasties thare are in [BIGMONOLITHIC] INC.s libraries which we of course trust implicitly.

    1. IGotOut Silver badge

      Re: One of the advantages of open source..

      'I'm pretty certain that GNU TLS is not developed by a lone individual in a shed somewhere, "

      You may be surprised how often these essential libraries are maintained by a few hobbyists doing it in there spare time.

      1. Anonymous Coward
        Anonymous Coward

        Re: One of the advantages of open source..

        Three, in this case.

    2. Anonymous Coward
      Anonymous Coward

      Re: One of the advantages of open source..

      There is now far more open source code than competent eyes to peruse it and find bugs and bad implementations just reading the code - especially when it is complex one like cryptographic libraries or kernel code.

      There will be more vulnerabilities found by automated probes than found by developers. Open source just makes easier to look at the relevant code when something wrong is spotted - but swome researchers have access to closed source code as well, albeit it's more difficult to obtain access.

      Looking at someone else's code was never funny, and developers usually like to write new code, not read old one. Sure, sometimes while looking through the code to add yours you will spot something wrong, but if that is in code rarely looked at it can hide for a long time, like in this case.

  4. Nano nano

    Erm, Unit testing ?

    'Nuff Said

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like