Bonum Certa Men Certa

Panic Over Transport Layer Security (TLS) Flaw Which is Already Patched

Bad news sells better

Summary: What the media is not really telling us about the GnuTLS vulnerability

The corporate press has shown its ignorance by characterising GNU as "Linux" and describing an already-patched flaw as the worst thing since proprietary software. Some went as far as suggesting that the NSA was behind it [1] and Muktware rebutted [2] the seminal article [3] which started a lot of the panic (at the time of writing there are dozens of articles about this, but we don't need to feed them with links). What we have here is another case of Dan Goodin creating panic in the Microsoft-friendly Ars, just as he had done when he worked for the Microsoft-friendly The Register. The only shocking thing is the amount of press coverage this received. PGP/GPG, OpenSSH, OpenSSL etc. were previously named here for flaws that had been found (in the context of Red Hat and the NSA [1, 2, 3]). These are not so uncommon. One just needs to keep up to date (patched) -- one that which Apple's customers cannot do. They can't even write their own patches.



Related/contextual items from the news:


  1. NSA did it again? This time GnuTLS fails to check malicious certificates


  2. Yes there was a security hole in Linux, but Red Hat already fixed it
    Originally reported by Ars Technica, the fix was available by the time the general public was made aware of it. It’s actually fairly similar to a certain security hole that lived for a year and could have allowed for exploits to be used in the wild.


  3. Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
    The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn't be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers.

Recent Techrights' Posts

Gemini Links 01/03/2024: Making Art and the Concept of Work Management
Links for the day
Schriftleitergesetz: Hiding the Holocaust with censorship
Reprinted with permission from Daniel Pocock
[Meme] His Lips Moved
Here is your national "news" for today
statCounter: GNU/Linux Exceeded 6% in Asia Last Month (Compared to 4% Just 12 Months Earlier)
numbers may be biased
What the End of Journalism Looks Like
All on the same day
Links 01/03/2024: Microsoft 'Retiring' More Services and Raspberry Pi Celebrates 3rd Birthday (Launched on February 29th, 2012)
Links for the day
Women's Empowerment
Sponsored by Bill Gates
Gemini Links 01/03/2024: Speed Bumps and Analog Stuff
Links for the day
[Meme] Those Greedy EPO Examiners
Says the litigation industry, charging 300 euros an hour per attorney
EPO Discriminates Against Families of Its Own Workers, the Union Explains Legal Basis Upon Which It's Likely Illegal and Must be Challenged
To the Council, the EPO boasts about its wealth (seeking to impress by how much breaking the law "pays off")
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, February 29, 2024
IRC logs for Thursday, February 29, 2024
Links 01/03/2024: Misuse of Surveillance Against UK-Based Journalism, EPO Conflict Now in the Media
Links for the day
Taking a Break From Paid Promotion of the Illegal, Unconstitutional Kangaroo Court for Patents (UPC)
JUVE returns to its 'roots'?
FSFE admits losing funds from bequest by insulting and ignoring Fellowship representative
Reprinted with permission from Daniel Pocock
Gemini Links 29/02/2024: Raspberry Pi Incus Cluster and Aya 0.5.0 Coming Soon
Links for the day
Links 29/02/2024: Layoffs at Apple, Expedia, and Electronic Arts
Links for the day
Gemini Links 29/02/2024: Web Enshittification and Firefox user-agents
Links for the day
Spiked Piece/Censoreed Piece: 'Microsoft Copilot is a gimmick', says top CIO
Issues relate to connectivity and cost
Enrico Zini, Mattia Rizzolo, Plagiarism & Debian
Reprinted with permission from Daniel Pocock
[Meme] Clergy of GNU/Linux (Corporations Like IBM)
Volunteers as powerless "followers" of companies that "harvest" their labour
There Will Be Lots More Apple Layoffs (Already Years in the Making)
The corporate media still tries to shape the narrative to prevent panic or delay market hysteria
Latest SUEPO (Staff Union of EPO) Report For The Hague Reveals EPO Does Not Obey Court Orders, Refuses to Allow Workers to Freely Talk to One Another
working in a place where communication itself is restricted
[Meme] The Oppression Will Continue Until EPO 'Quality' Improves
wonder why EPO morale is so low?
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, February 28, 2024
IRC logs for Wednesday, February 28, 2024
Outreachy, GSoC-mentors & Debian-Private may soon become public records in federal court
Reprinted with permission from Daniel Pocock
Links 28/02/2024: Many War Updates and Censorship
Links for the day
Gemini Links 28/02/2024: Social Control Media Notifications and Gemini Protocol Extended
Links for the day
Links 28/02/2024: Microsoft the Plagiarist is Projecting, Food Sector Adopts Surge Pricing
Links for the day
Helping Microsoft 'Hijack' Developers (to Make Them Work for Microsoft, Not the Competition)
VS Code is proprietary spyware of Microsoft. Jack Wallen keeps promoting its use.
Gemini Links 28/02/2024: Groupthink and the 'Problem' With Linux
Links for the day
Android Rising (Windows Down to All-Time Lows, Internationally)
This month was a bloodbath for Microsoft
HexChat Looks for Successors to Keep IRC Growing
IRC is far from dead
[Meme] Just Make Him Happy
Y U no produce more monopolies?
End of a Long February
top 10 posts
[Meme] The EPO's Relationship With Patent Examiners
Nobody is "safe"
New Pension Scheme (NPS) at the European Patent Office Explained at the General Assembly
Investing in the future, or...
Donald Trump & FSFE Matthias Kirschner election denial
Reprinted with permission from Daniel Pocock
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, February 27, 2024
IRC logs for Tuesday, February 27, 2024