The recent revelation of an SSL/TLS exploit in Apple's OS X and iOS operating systems surprised the security community, not only due to its presence on two relatively secure platforms, but also because of the amount of time that elapsed between its initiation and discovery. As things turned out, however, Apple wasn't alone in its security shortcomings, and encryption at-large may be suffering from vulnerabilities that were introduced into code and cryptography libraries some time ago.
Not long after the "goto fail" SSL/TLS weakness was found, researchers announced that they had discovered a similar bug in the open source GnuTLS library. If anything, this vulnerability is worse than Apple's, since it affects a huge swath of Linux distributions that underpin critical enterprise applications. More than 200 different operating systems depend on GnuTLS for SSL and TLS implementations, ranging from business favorites such as Red Hat to consumer choices like Ubuntu and Debian.
"It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification," stated an advisory from Red Hat. "An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker."
While no clear link exists between "goto fail" and the GnuTLS bug, the coincidental timing is worrisome. SSL/TLS guarantee the safety of the Web at-large, playing a critical role in protecting e-commerce platforms, online banking, social networks and many other services. For years, moving toward ubiquitous HTTPS has been an admirable goal for website operators, but these recent revelations may be cause for pause.
Of course, SSL/TLS should still be utilized, but security experts will need to be more diligent than ever in scrutinizing the protocol for possible weaknesses. "Goto fail" shipped with iOS 6.0 in September 2012, yet wasn't discovered until a year and a half later, a worrying oversight that jeopardized massive amounts of in-transit data. Going forward, increased attention to encryption and certificates will ideally lead to quicker identification and patching of similar issues.
Goto fail and the GnuTLS bug: Primers in how not to code C
For a vulnerability that caused such widespread anxiety, "goto fail" was almost disarmingly simple. It gets it name from one of the standard paradigms in the C programming language for error handling, goto fail, which in this case was improperly coded. Programmers make syntactical errors, logic mistakes and typos all the time, but few with the impact of the one in iOS and OS X.
The trouble was entirely due to an unneeded duplicate of a goto fail statement in the OS code. The original instance, contained in an if-statement, would correctly cause the program's control flow to shift if it couldn't verify whether a website was vouching for the validity of its SSL certificate. However, the duplicate diverts the program, causing it to bypass the critical code that actually checks the digital signature.
The simplicity of the error makes a good case for "goto fail" being a simple oversight, although it's worth noting that using "goto" statements is considered poor programming protocol in some circles. Accordingly, ensuring that these types of mistakes don't occur as frequently in the future will require concerted efforts from programmers, security experts and business teams to improve their practices.
While Apple quickly patched iOS – easily the larger of its two platforms – it took some time to roll out a fix for OS X, which is distressing in light of the growing number of consumers and businesses that rely on the Mac. The bug was simple, yet escaped notice for a long time and probably could have been addressed more efficiently.
The GnuTLS loophole hasn't received nearly the amount of press as "goto fail," but it may be more serious. On a technical level, it stems from a C error, just like Apple's issue, but the mistake is a bit more nuanced.
"It allows someone to impersonate a trusted website, which as far as TLS/SSL goes is the attacker's Holy Grail," said cryptographer Matthew Green of Johns Hopkins University, according to Threatpost. "This one was more of a dumb coding mistake, whereas Apple could have been a cut-and-paste error. It looks like [GnuTLS] failed to cast a return variable correctly. C is hard."
More specifically, the faulty GnuTLS code was supposed to return a Boolean variable (true or false) to indicate certificate validity. Instead, it passed back different negative numbers that threw everything off – for Boolean purposes in C, all numbers except 0 are true, meaning that a certificate could be interpreted as valid despite the message trying to indicate that it had failed the test.
The GnuTLS bug was likely the result of insufficient code testing, magnified by the difficulty of implementing features in C, which can result in many accidental errors that slip past review. Programmers are used to false positives from C compilers and may ignore them, which is acceptable practice in many cases but not when it comes to critical security features such as SSL/TLS implementation.
What organizations can learn from SSL/TLS vulnerabilities
To its credit, Apple considered "goto fail" enough of a priority to issue a fix for iOS 6, even if it took a while to address the vulnerability on OS X. However, the worrying part about both "goto fail" and GnuTLS is that these critical mistakes somehow were not noticed during code review across multiple organizations.
Granted, catching every single bug and potential vulnerability is a tough undertaking, especially for vendors that operate at massive scale and are always updating code. Nonetheless, security takes the back seat far too often and is addressed only later on, the technological equivalent of closing the barn door after the cows have left.
Basic security mechanisms such as SSL/TLS can't be taken for granted. The security community must make an extra effort to help companies prioritize screening for vulnerabilities and quickly patching weaknesses as they're identified.