Google releases “nogotofail” to detect HTTPS bugs before they bite users

Following a string of catastrophic vulnerabilities recently discovered in HTTPS encryption protections, Google engineers have released an app that allows developers to detect bugs and glitches that may leave passwords and other sensitive information open to snooping.

The open source tool is dubbed nogotofail, a reference to the so-called goto fail flaw that gave attackers an easy way to surreptitiously circumvent HTTPS-protected connections of Apple iOS and OS X devices. Since its discovery in February, various implementations of the underlying secure sockets layer (SSL) and transport layer security (TLS) protocols have suffered several other devastating vulnerabilities, including a flaw in the GnuTLS library, the catastrophic Heartbleed bug in OpenSSL, and the more recently disclosed in version 3 of SSL.

"The Android Security Team has built a tool, called nogotofail, that provides an easy way to confirm that the devices or applications you are using are safe against known TLS/SSL vulnerabilities and misconfigurations," Google engineers wrote in a blog post published Tuesday morning. "Nogotofail works for Android, iOS, Linux, Windows, Chrome OS, OSX, in fact any device you use to connect to the Internet. There’s an easy-to-use client to configure the settings and get notifications on Android and Linux, as well as the attack engine itself which can be deployed as a router, VPN server, or proxy."

Read 1 remaining paragraphs | Comments