The Linux world has been “rocked” by reports of a major GnuTLS exploit that would have allowed “Man-in-the-Middle” attacks using false security certificates. The problem couldn’t be farther from the truth and the entire situation has been treated as if Linux works like its Windows counterpart.GnuTLS sounds like something complicated, but in fact it is something very similar with the more popular OpenSSL library. GnuTLS is a certificate management library that implements SSL and TLS certificates.
The official announcement following the discovery of the GnuTLS exploit sounds like this in Ubuntu, but it's similar in other distros as well:
“Nikos Mavrogiannopoulos discovered that GnuTLS incorrectly handled certificate verification functions. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited with specially crafted certificates to view sensitive information.”
It sounds bad, but the truth is that it's actually run-of-the-mill activity on the Linux platform. Contrary to popular belief, the Linux packages are far from perfect, and flaws, exploits, problems, and other issues are identified all the time and fixed.
The operative word is “fixed.” This particular GnuTLS bug was identified and fixed in just a few hours, and all major distributions issued patches right away. The procedure is not something that only occurs on special occasions, it's something that happens a few times a week or every time that it's necessary.
This is how the open source works. An exploit is found, someone patches the problem, the new versions get uploaded to repositories, users download them with the first system update.
For some weird reason, this particular exploit in GnuTLS was treated by a lot of people like something that should worry users, and on many occasions it was portrayed as something that shows that the Linux platform is just as vulnerable as the Windows and Mac OS X counterparts.
What's funny about the entire situation is that Ubuntu, for example, closed another three different vulnerabilities in the same day for PHP, Python, and OpenJDK 6. No one really cared.
The GnuTLS exploit is somewhat similar with the latest “goto” bug from Mac OS X, which took Apple a week to fix. Let's not even get into how long it takes Microsoft to fix a security problem.
If this GnuTLS debacle has taught us anything, it is that if you want an OS as safe as humanly possible, why would you settle with anything less than a Linux one?