New TLS Attack Takes the S out of HTTPS

Mar 11, 2014

Vulnerability affects many Linux web servers

How safe is your encrypted web session?
Security experts have uncovered a bug in the GnuTLS library that would allow an attacker to launch a man-in-the-middle attack to hijack a secure connection with a web server that is using the (HTTPS) protocol. According to the Common Vulnerabilities and Exposures project (CVE-2014-0092), "lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers via a crafted certificate."
GnuTLS is an open source library that provides applications with access to Secure Sockets Layer (SSL) and Transport Layer Security (TLS) services. The GnuTLS package is used widely throughout the Linux world and is included by default with many popular Linux distributions. The GnuTLS project advises users to "upgrade to the latest GnuTLS version (3.2.12 or 3.1.22), or apply the patch for GnuTLS 2.12.x." 

Related content

  • Two GnuTLS Bugfix Releases

    The GnuTLS project has published two bugfix releases to close several vulnerabilities and resolve an error capable of interrupting connections.

  • DTLS – Encryption for UDP

    TLS encryption is wonderful if it is running over a reliable transport protocol like TCP; but if your needs call for the less reliable UDP transport, you'd better start learning about DTLS.

  • Security Lessons: Cryptographic Agility

    When dangerous security flaws are discovered, being able to switch to alternative software can be crucial.

  • GnuTLS Version 2.0.0 Released

    Version 2.0.0 of the GnuTLS security database improves access to X.509 certificates and adds RSA with SHA-256/384/512 certificates to the crop of supported crypto approaches.

  • Server Name Indication

    Server Name Indication lets you operate more than one SSL-protected service per IP address.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More