[Cryptography] It's GnuTLS's turn: "Critical new bug in crypto library leaves Linux, apps open to drive-by attacks"

Phillip Hallam-Baker phill at hallambaker.com
Wed Jun 4 12:14:17 EDT 2014 

On Tue, Jun 3, 2014 at 9:43 PM, Tom Mitchell <mitch at niftyegg.com> wrote:
> On Tue, Jun 3, 2014 at 10:57 AM, Jerry Leichter <leichter at lrw.com> wrote:
>>
>> "A recently discovered bug in the GnuTLS cryptographic code library puts
>> users of Linux and hundreds of other open source packages at risk of
>> surreptitious malware attacks until they incorporate a fix developers
>> quietly pushed out late last week."
>>
>
> This has large implications for  embedded software....
> Appliances are notoriously long lived and not profitable to maintain.
> I have numerous wifi routers that can only be used in islolation.
> I have a growing pile of phones and tablet hardware that are no
> longer getting updates from the vendor....  In some cases AT&T
> blocks Samsung from updating Samsung designed hardware.

Me too. I have a whole box of rubbish WiFi routers that died before I
bought an AirPort but even that won't reliably service a house with
multiple access points connected by ethernet on one SSID. The
configuration does not even seem to have been considered.

What I do find rather problematic is that people are not looking at
this as a system and ideology is being used as a substitute for
argument.

I was doing Open Source before it had a name. The whole of the
original CERNLib for WWW was in the public domain. Not GNU, not BSD,
public domain. And that was because no restrictions at all was the
best way to achieve the objective of getting people onto the Web.

But I have never argued that open source guarantees security or
necessarily even improves it. I have never found anyone who enjoys
reviewing other people's code. So the idea people will do code reviews
because something is open source is rather silly. There are a handful
of projects that do serious code reviews but I see those as code
review projects that happen to be open source rather than the reverse.

It does not surprise me then that open source software has bugs. What
does surprise me is that the response from some is 'well open source
is still better and the real problem is still the CAs'.

Well if the system was working right the problem SHOULD be at the CA
because the CA is the interface between the world of software and
hardware where we have control and the real world where we have none.
When I started working on the WebPKI my expectation was that the error
rate would be between 0.1-1.0%. I was wrong. It was so much lower that
most of you ignored all the technical controls that we specified
because you don't see the need for them.

Can we just agree that anyone who turns off revocation checking loses
the right to gripe or grumble about any other part of the WebPKI being
wrong?


On the embedded systems thing. Well as people know I am writing a
protocol compiler, no have written a protocol compiler.

At the moment what you do is that you give Protogen a description of
the data that goes into the messages and press a button and out pops:

1) Code to implement a client API in C# and C
2) Code to implement a server that listens for the calls in C# (C to come)
3) Reference documentation in IETF Internet Draft format (HTML or XML2RFC)
4) A pony (planned for version 2.0)

It now takes me roughly two days to write a spec that includes
examples from actual running code (another part of the tool). This is
one I did in two days recently:

http://tools.ietf.org/html/draft-hallambaker-sxs-confirm-00

Oh and its all Open Source and up on Sourceforge


At the moment it generates code to implement the protocol in JSON over
either HTTP or UDP transport. But other transports and encodings can
be added.

Now where I am headed with this is that I have completely defined the
interfaces I need to the networking hardware. So now I have code that
can run on a very very minimal operating system. Something like ArdOS
which is a 1.6KB operating system for the Ardulino.


So if people were to take a look at my protocol compiler and check
that it did not put any backdoors into my code and some other folk
looked at a very basic multitasking plus networking layer, we could
use the combination of the two to arrive at code builds for devices
that we could consider to be fully verified.

More information about the cryptography mailing list