Nerd blog.

09 Mar 2014

goto fail

When learning programming, beginners are always taught that goto’s are dangerous. They are dangerous because of their syntax. A missed colon or semi colon can mean a vastly different program flow. This has come up twice in the last month, one in Apple’s SSL/TLS signature verification (extra goto), and one in GnuTLS’s signature verification (missing goto).

Both are public, and patched now, but the ramifications of both are HUGE. Given that not everyone patches immediately or even automatically within a few days, there will be a large number of users affected by both of these bugs for years to come yet. Just like the unpatched Windows XP systems, there are also Linux and Mac users out there who avoid all patches, disable the automatic updates, and generally make themselves very vulnerable.

Theodore Baschak - Theo is a network engineer with experience operating core internet technologies like HTTP, HTTPS and DNS. He has extensive experience running service provider networks with OSPF, MPLS, and BGP.