Ars Technica reports that Linux has a similar bug to Apple’s SSL bug of last week.
Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.
The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package.
Matt Green, a Johns Hopkins University professor specializing in cryptography, characterized the vulnerability this way: “It looks pretty terrible.”
Now, it is a popular thing amongst open source proponents to say that their platform is inherently more secure because open software benefits from having more eyes looking at it, whereas Apple’s software is insecure because only Larry looks at it. Or something to that effect. They don’t always name Larry.
Witness Katherine Noyes, formerly of PCWorld, arguing why Android is inherently more secure than iOS (seriously):
More “eyeballs” studying the code means problems are caught more quickly.
Here’s Cory Doctorow lauding Linux in the Wall Street Journal:
I use Ubuntu ( ubuntu.com ), a free operating system. Because the code is open to scrutiny to all, security vulnerabilities are rooted out quickly.
This SSL bug may have been in the code for nine years. Please, tell me again that trope about how Mac users blindly think their computers are invulnerable to attack. And it’s not like it’s the only one the platform’s had.
I’m not saying Macs are more secure than Linux. I really wouldn’t know and I firmly believe Apple has not paid enough attention to Mac security throughout the past decade. I’m certainly not arguing that security through obscurity is better. What I am saying is that Linux’s security fortunes have more to do with the same thing that kept Macs more secure for years than the inherent awesomness of “open sauce”: its low market share. One only has to look at Android to prove the point (high market share, low practical security).
The protection of low market share is still a selling point (or would be if Linux were actually sold for currency) and open software is an important part of computing as we know it. I personally support mandating that all voting machines be based on open-source software. But the Linux community isn’t being done any favors by its boosters talking up how open makes it better protected. Based on observation, this theory seems to not hold up in practice.
UPDATE: Watts Martin has a similar reaction:
And no one—not even the most passionate open source developer—ever says something like, “You know what I’d like to do tonight? Give GnuTLS a code security audit.”