Warning about using older GnuTLS versions
- From: Michael Catanzaro <mcatanzaro gnome org>
- To: epiphany-list gnome org
- Cc: Desktop Development List <desktop-devel-list gnome org>, distributor-list gnome org
- Subject: Warning about using older GnuTLS versions
- Date: Tue, 07 Jan 2020 13:53:01 -0600
Hi,
In light of recently-published chosen-prefix attacks on SHA1 [1], I
caution that it is no longer safe to use Epiphany, or any other
WebKitGTK-based browser, or libsoup, or any applications based on
libsoup, or any other applications using GLib's networking facilities,
in combination with GnuTLS versions older than GnuTLS 3.6. GnuTLS
versions prior to 3.6 will accept certificates that use SHA1
signatures. It is now both possible and economically-feasible to forge
these signatures. Your secure connections can no longer be trusted to
be secure when using these older versions of GnuTLS.
Notably, this affects Ubuntu 18.04, which still uses GnuTLS 3.5, and
all derived distros. Many other distros are also affected.
Michael
[1]
https://arstechnica.com/information-technology/2020/01/pgp-keys-software-security-and-much-more-threatened-by-new-sha1-exploit/
[Date Prev][
Date Next] [Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
