Re: gnutls security breach

To: debian-user@lists.debian.org
Subject: Re: gnutls security breach
From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>
Date: Thu, 06 Mar 2014 10:34:16 +1100
Message-id: <[🔎] 5317B478.8020706@gmail.com>
In-reply-to: <[🔎] 1394045951.6183.4.camel@rap.ydor.org>
References: <[🔎] 5316DC13.3040900@gmail.com> <[🔎] 1394045951.6183.4.camel@rap.ydor.org>

On 06/03/14 05:59, NoSpaze wrote:
> On Wed, 2014-03-05 at 03:10 -0500, Ric Moore wrote:
>> Anyone see this?
>> http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
>> Yeow! I just did update / upgrade to Jessy, but didn't see the security 
>> fix come through yet. Ric
> 
> I wanted to know if this has a major influence on my system:

And your system is?

> 
> # lsof -n | grep libgnutls|awk '{ print $1; }'|sort|uniq -c
<snipped>
> 
> So, no problem for me, but seeing apache there makes me think If I
> should continue to use online banking...

Have you applied the libgnutls security update?

Puzzled. How would apache - running your own web server - impact on the
ssl certs your system authenticates as part of your online banking?

Both apache and your server use gnutls for handling SSL, TLS and DTLS -
aside from that there's no connections I can see.

<opinion class=biased authority=unknown>
As always if you want secure connections get up and walk. Otherwise the
best you can do, after limiting your risk exposure and maintaining good
OpSec and a secure system is:-
;visually confirm the cert footprint to ascertain it belongs to the
issuer - particularly if it changes (see your cert settings in your browser)
;check with DNSSEC that the site issuing the cert is the site it claims
to be.
Given that most users don't do the former - even though I can't think of
a major cert issuer who hasn't been compromised, and most enterprise
resists implementation of DNSSEC... SNAFU(?)
Internet banking will always be a risk, likewise any secure
communications using resources outside your control. It's always an
end-to-end equation with at least two unreliable meatbags at either end,
and the triviality of capture and replay at a later date with additional
information.
</opinion>

> 
> Anyway, I don't find any concrete information on the bug's effects on
> common systems...

Did you try searching this list for information?
Was the information I provided earlier in this thread insufficient? What
do you mean by "I don't find"? It took me all of ten minutes to find
more detail on the *past* bug than I had time to read since.

You could check the git and see what has changed, and why, since Simon
Josefsson wrote the relevant section of code - or just rely on second
and third hand "interpretations". I'm not sure what choices you have.

*Theoretically* the bug, since patched, *may* have allowed an attacker
using a carefully crafted X.509 certificate, of which no working proof
has been found, to play MITM. You would need to accept this certificate
or it won't work. I'm not attempting to mitigate the risks - just
counter the over-hyped, ill-informed, chorus of monkey blogs/"news"
channels that seek to inflate their readerships by conflating possible
with actual.
In a world of breached certificate "authorities", and compromised banks,
networks, and DNS - MTM is a constant risk even if ssl/tls/dtls was easy
to secure *and* certificate issuers adhered to a standard that allowed that.

<snipped>

Kind regards

Reply to:

References:
- gnutls security breach
  - From: Ric Moore <wayward4now@gmail.com>
- Re: gnutls security breach
  - From: NoSpaze <nospaze@gmail.com>

Prev by Date: Re: Who changes /bin/ping on my system ?
Next by Date: Installing Debian debian-live-7.4-amd64
Previous by thread: Re: gnutls security breach
Next by thread: Re: gnutls security breach
Index(es):
- Date
- Thread