GnuTLS: Just because people can read the source, doesn’t mean that they do

I don’t want to spend too much time on this topic… Just want to get this out there. As you may have heard, a vulnerability was discovered in GnuTLS, because of sloppy coding:

I want to stress two points here:

1) This code has been in GnuTLS since 2005. So the bug went unnoticed for some 9 years.

2) The code was discovered by Red Hat themselves. Possibly because the recent TLS bug discovered in iOS and OS X (which had only been in there since 2012) inspired them to double-check their own code.

So what this means is: even though the code is open source, it took many years to find the bug, and when the bug was eventually found, it was found by Red Hat themselves, during an audit, rather than an independent party. This once again dispels the myth that Open Source is more secure because bugs are found quickly because of the thousands of eyes watching the code (also known as Linus’ Law). Apparently serious security flaws lie dorment in the code for many years.

For more background information, see Ars Technica.


This entry was posted in Software development, Software news and tagged , , , , , , , , . Bookmark the permalink.

10 Responses to GnuTLS: Just because people can read the source, doesn’t mean that they do

  1. snemarch says:

    What do you mean by “Red Hat themselves”? I didn’t think it had anything to do with RedHat?

    It *is* a good point that the bug was found by a commercial entity doing professional code review, rather than some jobless basement dweller… but it’s also a good point in the favor of OpenSource that the bug was found & fixed by a third party. (Sure, {whatever-color}-hat hackers find exploits without having access to source code, but I’d wager that proprosing a fix is easier if you have the source, and it’s easier to get accepted than with certain closed-source vendors).

    • Scali says:

      Well, the Ars Technica article says:

      The flaw, formally indexed as CVE-2014-0092, is described by a GnuTLS developer as “an important (and at the same time embarrassing) bug discovered during an audit for Red Hat.”

      So Red Hat discovered the bug during an audit. Which is no different from any other company doing an audit on their own (open or closed) code.

      Edit: This seems to be the original bug report:
      As you can see, “Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team” discovered the bug and provided the patch.

    • Scali says:

      I suppose you could say that only makes it worse that Red Hat found it after 8 years… Namely, Red Hat is just one of many GNU/linux distributions that all use GnuTLS, and they all do (or should do) security audits. And even THEN none of them found it before.
      Perhaps open source actually works against them? They think other people are auditing the code as well, so they don’t need to audit as often or pay as much attention during an audit?

      • musicxs says:

        While the security flaw is not good press, actually both proprietary and open source software are equally good at security. At least Guido Shyren stated that in his scientific article “Is open source security a myth?” in Communications of the ACM (doi:10.1145/1941487.1941516). But to my knowledge there has been little research done in just this field. And his work is in my opinion important, since it covers a comparison of 17 different open source and closed source programs, ranging from applications such as email clients and web browsers to operating systems.

  2. musicxs says:

    I would say that it is more easy to find bugs/security flaws in open source software combined to its proprietary counterpart. Yes, it does not mean that every user would take a look in the source code. There are many reasons to this. If you would be a Linux user, the answer would be that there are too many lines of source code to manage, when you combine the operating system and all applications you use. That would be true for me.

    I am aware that different programs have their own strengths and flaws. But I can not see how one flaw in one program, that happens to be open source, does mean that every open source program is insecure. At least I get that impression from this blog post.

    • Scali says:

      You’re turning things around. The myth is that people think that every open source program is secure, because people can and will read the source code. I’m pointing out that this is a myth. You make it into a false dilemma by claiming that every open source program must be insecure. I never said that. There’s a big difference between “Not every open source program is secure” and “Every open source program is insecure”.

      • musicxs says:

        I did not mean that every open source program secure. I just stated that I got that impression of this blog post. Probably I just read the post too fast, I am sorry about that. But you make a valid point about that just because something is open source, it does not mean that it therefore is secure.

  3. Pingback: Open Source = Secure Programs? | A blog about (almost) everything

  4. k1net1cs says:

    Scali, you’re not going to make another point with OpenSSL’s Heartbleed? =b

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s