[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Critical GnuTLS bug ...



Michael Ströder wrote:
Howard Chu wrote:
http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/

Perhaps folks will take us more seriously the next time we say "don't use
GnuTLS" ... http://www.openldap.org/lists/openldap-devel/200802/msg00072.html

While I personally also prefer OpenSSL over GnUTLS it's not fair to blame
developers if they publish a security issue themselves.

This issue was found by a RedHat audit, not by the GnuTLS developers.

The same underlying problem remains - the GnuTLS developers didn't know the first thing about X.509 certificates. They pointedly ignored (or were simply too inexperienced to even understand) the issues that were identified. And apparently, they still haven't learned, after all this time.

One never knows which issues are in other preferred software packages which
the developers are not honest enough to talk about.

Ciao, Michael.



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/