March 17, 2014

GnuTLS Flaw Puts Developers and Users at Risk

It’s bad enough that every day it seems we hear something new about major organizations like the NSA spying on our every move, but now hackers are taking their bugs to the next level for their 15 minutes of fame. Just this past week, a serious bug in the open source GnuTLS library, which is used by thousands of HTML5 developers, left hundreds of developed open source packages at risk of attacks and spying.

GnuTLS is supposed to be a secure communications library that implements SSL, TLS, and DTLS protocols and other technologies. According to the website, it “provides a simple C language application programming interface (API) to access the secure communications protocols, as well as, APIs to parse and write X.509, PKCS #12, OpenPGP, and other required structures.”

It supports everything from online certificate status protocols to public key methods, and will run on most Unix platforms and Windows. It has become an extremely popular developer tool. Hackers took to the tool and created a bug that can watch you’re every move if you have an open source application that has been infected on your computer.

It’s simple: while the GnuTLS library provides the codes your computer needs to connect securely to the Internet or other protocols, it hijacks the encrypted data when it’s in transit. The good news is that it can’t see your personal data or change things around on your computer, but the bad news is that it is leaving people unprotected and having systems become unsecure against real attacks.

The bug attacked major open source programs such as Red Hat, Ubuntu (NewsAlert), and Debian. "It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification," warned an advisory issued by Red Hat (News Alert). "An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker."

To solve the problem, GnuTLS is asking all of its users to upgrade to its latest version, 3.2.12 that will prevent the flaw and help fight against the latest bug. For more details, visit GnuTLS website.

Edited by Alisen Downey


HTML 5 Demos and Examples

HTML 5 experimentation and demos I've hacked together. Click on the browser support icon or the technology tag to filter the demos.... Learn More

HTML5 GAMES is the largest and most comprehensive directory of HTML5 games on the internet... Learn More

The HTML5 test

How well does your browser support HTML5?... Learn More

Working Draft (WHATWG)

This is the Editor’s Draft from WHATWG. You can use it online or print the available PDF version... Learn More

HTML5 Flip Book

Free jQuery and HTML5 flip book maker for PDF to online page turning book conversion... Learn More