Conversation

Filippo Valsorda
@FiloSottile
PSA: don't rely on GnuTLS, please. [CVE-2020-13777] Whoops, for the past 10 releases most TLS 1.0–1.2 connection could be passively decrypted and most TLS 1.3 connections intercepted. Trivially. Also, TLS 1.2–1.0 session tickets are awful. blog.filippo.io/we-need-to-tal
Quote Tweet
Andrew Ayer
@__agwa
GnuTLS was using an all-zero key for encrypting TLS session tickets. Whoops. gitlab.com/gnutls/gnutls/
Show this thread
6
538
Filippo Valsorda
@FiloSottile
(There are more important things going on around me than tech right now, but the reason I care about security and cryptography is because it protects people, so this is relevant. This is also why we get riled up about things like memory safety.)
3
105
Filippo Valsorda
@FiloSottile
The change that introduced this vulnerability added complexity for literally no gain (although it intended to help with forward secrecy). This is why we fight complexity every step of the way. This is why I reject most crypto/tls feature requests.
Quote Tweet
Andrew Ayer
@__agwa
It's even worse than I thought. GnuTLS's "rotation" doesn't actually do anything useful - the STEKs are derived with SHA-3(timestamp || master key). The master key is never rotated, so they're not actually rotating anything. All their "rotation" did was add a vulnerability.
Show this thread
2
78
Filippo Valsorda
@FiloSottile
For scale, this GnuTLS vulnerability is considerably worse than Heartbleed. If you use Linux distributions with GNU tendencies, you might want to check your dependency trees. This thread is a good starting point.
Quote Tweet
Frank ⚡
@jedisct1
Replying to @__agwa and @FiloSottile
Genuine question: what is using GnuTLS? Some other GNU software? I wouldn’t be able to name an actual application using it.
5
73
You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more
stupiddog two
@stupiddog1979
Replying to
@Alfred_Loo
and
@FiloSottile
They probably did, but cryptography code can be extremely tricky (remember the time when a Debian maintainer with good intentions innocently wanted to fix a compiler warning and, in the process, dramatically reduced the keyspace?)
1