GnuTLS session resumption exploit

Michael Butash michael at butash.net
Wed Jun 10 07:38:21 MST 2020


So pretty much everything that wants to create encrypted TLS network
connections uses it or a like library ,or their own TLS engine.

NSA must be slavering at this tidbit, or just already knew.

-mb


On Tue, Jun 9, 2020 at 8:08 PM der.hans via PLUG-discuss <
plug-discuss at lists.phxlinux.org> wrote:

> Am 10. Jun, 2020 schwätzte Seabass via PLUG-discuss so:
>
> moin moin,
>
> > What exactly is gnutls used for?
> > Web servers, or do general users actually use this for TLS connections?
> > Or something else?
>
> I don't know, but I believe it's in the same category as OpenSSL, so could
> be anything that wants to use TLS.
>
> debian reverse depends shows 354 packages.
>
> $ apt-cache rdepends libgnutls30 | grep -vc ^lib
> 354
> $
>
> $ apt-cache rdepends libgnutls30 | grep -Evc '^  lib'
> 258
> $
>
> $ apt-cache rdepends libgnutls30 | grep -Ev '^  lib' | awk -F- '{print $1
> }' | sort -u | wc
>      141     142    1337
> $
>
> Here are some from that list:
>
> telepathy, weechat, vlc, wget, rsyslog, abiword, cups, emacs
>
> ciao,
>
> der.hans
>
> >> moin moin,
> >>
> >> GnuTLS sessions can be resumed, allowing man in the middle attacks
> >>
> >> get yer updates
> >>
> >> https://gitlab.com/gnutls/gnutls/-/issues/1011
> >>
> >> ciao,
> >>
> >> der.hans
>
> --
> #  https://www.LuftHans.com   https://www.PhxLinux.org
> #  "Arguing that you don't care about the right to privacy because you have
> #  nothing to hide is no different than saying you don't care about
> #  free speech because you have nothing to say." -- Edward
> Snowden---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20200610/2c454132/attachment.html>


More information about the PLUG-discuss mailing list