Google puts down POODLE, now wants to eradicate breed

Cupertino closes coffin with gotofail nail

A trio of Googlers have released a tool to help sysadmins identify applications and services open to nasty transport layer security vulnerabilities such as POODLE, Heartbleed and Apple's gotofail.

The dryly named nogotofail tool, written by Android engineers Chad Brubaker, Alex Klyubin and Geremy Condra, allows devs to set up a test for man-in-the-middle vectors for Linux boxes that could help guard against the three big name attacks.

Brubaker said in release notes the network security testing tool included testing for common SSL certificate verification problems, HTTPS and TLS/SSL library bugs, SSL and STARTTLS stripping issues, and cleartext traffic.

"Google is committed to increasing the use of TLS/SSL in all applications and services but 'HTTPS everywhere' is not enough; it also needs to be used correctly," he wrote in an blog.

"Most platforms and devices have secure defaults, but some applications and libraries override the defaults for the worse, and in some instances we've seen platforms make mistakes as well.

"As applications get more complex, connect to more services, and use more third party libraries, it becomes easier to introduce these types of mistakes."

It worked for all internet-ready platforms from iOS to Windows and would be configured to send notifications to mobile devices and servers. The attack engine could be deployed as a router, VPN server, or proxy.

Android's security bod used the tool for "some time" and released it after working with developers to help lift their app infosec game.

"But we want the use of TLS/SSL to advance as quickly as possible," Brubaker said.

He called for the community to contribute to the code base. ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019