[Cryptography] It's GnuTLS's turn: "Critical new bug in crypto library leaves Linux, apps open to drive-by attacks"
Adam Sampson
ats at offog.org
Thu Jun 5 08:29:24 EDT 2014
Jerry Leichter <leichter at lrw.com> writes:
> So now we've had serious attacks on Apple's private SSL
> implementation, OpenSSL, and now GnuTLS. Is anything left standing?
The other "big" implementation is Mozilla's NSS library, which has
certainly had fewer CVEs published than the other two:
http://www.cvedetails.com/product/4052/Mozilla-Network-Security-Services.html
http://www.cvedetails.com/product/4433/GNU-Gnutls.html
http://www.cvedetails.com/product/383/Openssl-Openssl.html
... although that may just reflect the much smaller number of
applications that use it. It's also written in C and uses the same kinds
of implementation patterns as OpenSSL/GnuTLS.
There's been some effort within Fedora to standardise on NSS, including
an OpenSSL-compatible API wrapper (nss_compat_ossl):
https://fedoraproject.org/wiki/FedoraCryptoConsolidation
--
Adam Sampson <ats at offog.org> <http://offog.org/>
More information about the cryptography
mailing list