Critical Crypto Bug Leaves Linux, Hundreds of Apps Open to Eavesdropping

Dan Goodin, reporting for Ars Technica:

The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical “goto fail” flaw that for months put users of Apple’s iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug. […]

Matt Green, a Johns Hopkins University professor specializing in cryptography, characterized the vulnerability this way: “It looks pretty terrible.”

Coincidence?

Tuesday, 4 March 2014