Late on a Friday afternoon in the middle of February, Apple quietly issued a fix for a critical certificate validation bug in iOS that essentially could have given an attacker the ability to spy on supposedly secure communications.<\/p>\n
As critical as the bug was and as inconspicuous as a late Friday patch announcement is, this is standard fare for Apple. The Cupertino, California-based computer giant is well known for operating behind a legendary veil of secrecy.<\/p>\n
However, heads turned and interests were piqued the following day when it emerged that the bug not only affected Apple\u2019s mobile iOS<\/a> operating system but its traditional OSX operating system as well<\/a>. The plot thickened further last week when it became apparent that an eerily similar bug affected GnuTLS<\/a>, a free and open-source piece of software used to implement encryption in various Linux distributions and other platforms.<\/p>\n As more people looked at the bugs (particularly the Apple ones), more news outlets and researchers published suggestions of subterfuge. Bruce Schneier, one of the world\u2019s premiere cryptography and security experts, described the vulnerability as follows<\/a>:<\/p>\n \u201cThe flaw is subtle, and hard to spot while scanning the code. It\u2019s easy to imagine how this could have happened by error. And it would have been trivially easy for one person to add the vulnerability.<\/p>\n \u201cWas this done on purpose? I have no idea. But if I wanted to do something like this on purpose, this is exactly how I would do it.\u201d<\/p>\n Others researchers were more direct, challenging that the coding errors that led to the Apple bug \u2013 dubbed \u201cgoto fail\u201d \u2013 would be nearly impossible to commit and even more difficult to miss in the coding review process. Of course, given the current climate and the utility of the \u2018goto fail\u2019 vulnerability, many have speculated the both the Apple and the GnuTLS bugs would be very valuable to anyone in the business of spying.<\/p>\n While no doubt coincidental and similar in effect, the bugs came to exist in quite different ways. Another crypto expert, Matthew Green of Johns Hopkins University<\/a>, examined the GnuTLS bug and believes it was an honest \u2013 albeit dumb \u2013 coding mistake.<\/p>\n All conspiracies aside, this crypto-validation failure in GnuTLS means that all Red Hat desktop and server products as well as all Debian and Ubuntu (Linux) installations contain a bug that could be exploited to monitor communications taking place on those machines. This bug impacts affected systems from the bottom to the top. Not only would your secure web-browsing sessions (as indicated by \u2018HTTPS\u2019) be affected, but so too would your applications, downloads, and really any other supposedly encrypted communications that use GnuTLS for implementation.<\/p>\n To be clear, an attacker would need to be on a local network with his or her target in order to exploit any of these bugs. However, under the appropriate circumstances, the bugs could enable an attacker to perform a man-in-the-middle<\/a> attack, where the victim believes he or she is communicating with a trusted online service provider but is in fact sending data packets along to an attacker on the network. Both bugs provide a great way to steal login credentials and survey local-network communications.<\/p>\n