nanog mailing list archives

Fwd: [ PRIVACY Forum ] Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

From: Jay Ashworth <jra () baylink com>
Date: Tue, 4 Mar 2014 22:07:56 -0500 (EST)

Oh hell.

Is this the *same* bug that just broke in Apple code last week?

Cheers,
-- jra

----- Forwarded Message -----

From: "PRIVACY Forum mailing list" <privacy () vortex com>
To: privacy-list () vortex com
Sent: Tuesday, March 4, 2014 3:17:43 PM
Subject: [ PRIVACY Forum ] Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
Critical crypto bug leaves Linux, hundreds of apps open to
eavesdropping

http://j.mp/1jPcVOr (Ars Technica)

"Hundreds of open source packages, including the Red Hat, Ubuntu, and
Debian distributions of Linux, are susceptible to attacks that
circumvent the most widely used technology to prevent eavesdropping on
the Internet, thanks to an extremely critical vulnerability in a
widely used cryptographic code library. The bug in the GnuTLS library
makes it trivial for attackers to bypass secure sockets layer (SSL)
and Transport Layer Security (TLS) protections available on websites
that depend on the open source package. Initial estimates included in
Internet discussions such as this one indicate that more than 200
different operating systems or applications rely on GnuTLS to
implement crucial SSL and TLS operations, but it wouldn't be
surprising if the actual number is much higher. Web applications,
e-mail programs, and other code that use the library are vulnerable to
exploits that allow attackers monitoring connections to silently
decode encrypted traffic passing between end users and servers. The
bug is the result of commands in a section of the GnuTLS code that
verify the authenticity of TLS certificates, which are often known
simply as X509 certificates."

- - -

--Lauren--
Lauren Weinstein (lauren () vortex com): http://www.vortex.com/lauren
Co-Founder: People For Internet Responsibility:
http://www.pfir.org/pfir-info
Founder:
- Network Neutrality Squad: http://www.nnsquad.org
- PRIVACY Forum: http://www.vortex.com/privacy-info
Member: ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Google+: http://google.com/+LaurenWeinstein
Twitter: http://twitter.com/laurenweinstein
Tel: +1 (818) 225-2800 / Skype: vortex.com
_______________________________________________
privacy mailing list
http://lists.vortex.com/mailman/listinfo/privacy


-- 
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates       http://www.bcp38.info          2000 Land Rover DII
St Petersburg FL USA      BCP38: Ask For It By Name!           +1 727 647 1274

Current thread:

Fwd: [ PRIVACY Forum ] Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping Jay Ashworth (Mar 04)
- Re: Fwd: [ PRIVACY Forum ] Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping Matt Palmer (Mar 04)
  - Re: [ PRIVACY Forum ] Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping Jay Ashworth (Mar 05)
  - Re: Fwd: [ PRIVACY Forum ] Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping María García (Mar 06)
    - Re: Fwd: [ PRIVACY Forum ] Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping Matt Palmer (Mar 06)
    - Re: Fwd: [ PRIVACY Forum ] Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping María García (Mar 06)
- Re: [ PRIVACY Forum ] Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping Leo Bicknell (Mar 05)
  - Re: [ PRIVACY Forum ] Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping Jay Ashworth (Mar 05)
    - Re: [ PRIVACY Forum ] Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping jim deleskie (Mar 05)
    - Re: [ PRIVACY Forum ] Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping Tom Morris (Mar 05)