GnuTLS patches huge security hole that hung around for two years – worse than Heartbleed, says Google cryptoboffin


keys hanging from ceiling

GnuTLS, a widely used open source library implementing Transport Layer Security, last week fixed a bug that had been hiding in the code for almost two years that made resumed TLS 1.3 sessions vulnerable to attack.

The TLS handshake requires two round-trips between client and server to establish a secure connection. Session tickets provide a way to resume previously established connections with only one round-trip. But this convenience comes at a cost – it’s less secure, as described by Google cryptographer Filippo Valsorda.

Read more…