[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Critical GnuTLS bug ...

To: Michael Ströder <michael@stroeder.com>, OpenLDAP Technical <openldap-technical@openldap.org>
Subject: Re: Critical GnuTLS bug ...
From: Howard Chu <hyc@symas.com>
Date: Tue, 04 Mar 2014 13:44:54 -0800
In-reply-to: <53164683.2040903@stroeder.com>
References: <53162C1E.1000501@symas.com> <53164683.2040903@stroeder.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26a1

Michael Ströder wrote:

Howard Chu wrote:

http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/

Perhaps folks will take us more seriously the next time we say "don't use
GnuTLS" ... http://www.openldap.org/lists/openldap-devel/200802/msg00072.html


While I personally also prefer OpenSSL over GnUTLS it's not fair to blame
developers if they publish a security issue themselves.


This issue was found by a RedHat audit, not by the GnuTLS developers.

The same underlying problem remains - the GnuTLS developers didn't know thefirst thing about X.509 certificates. They pointedly ignored (or were simplytoo inexperienced to even understand) the issues that were identified. Andapparently, they still haven't learned, after all this time.

One never knows which issues are in other preferred software packages which
the developers are not honest enough to talk about.

Ciao, Michael.



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- Critical GnuTLS bug ...
  - From: Howard Chu <hyc@symas.com>
- Re: Critical GnuTLS bug ...
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Restricting access based on IP Address
Next by Date: Re: ppolicy not working in 2.4.23 !!
Index(es):
- Chronological
- Thread