Socat, a more feature-rich version of netcat has a serious security flaw. The program uses the Diffie-Hellman method to establish a key, but it uses a non-prime parameter when it should use a prime. This flaw coupled with the relatively short nature of socat cryptography keys makes the encryption suspiciously easy to crack. There are theories that the non-prime was deliberately built in as a backdoor. The primary suspect is a guy named Zhigang Wang. The article also mentions a backdoor in NetScreen Firewalls that allowed the coders who made the program to be able to access data encrypted by VPN.
Both of these stories drive home the ‘nothing is ever really secure’ argument. Also, the idea of back doors is something to consider. If the programmers who make your privacy applications have nefarious intentions, your data is not safe. However, the flaw being identified so quickly drives home a point that we were learning about in 5209 which was that open source is better than proprietary programs when it comes to encryption because weaknesses are often found more quickly due to the variety of eyes scrutinizing the code.
Read the article here
Using a non-prime number for security is like pretending closing a screen door protects a home. Usually having a shared workspace prevents anyone from inserting backdoors easily, but this went unnoticed for years. Maybe other developers accepted the authority of Zhigang Wang. Another possibility is that with poor management no one wants to do the tedious task of reviewing other’s code.