Developers of the Socat networking tool have fixed a cryptographic flaw that left communications open to eavesdropping for more than a year. The error is so serious that members of the security community believe it could be an intentional backdoor.

Socat is a more complex and feature-rich reimplementation of netcat, a cross-platform networking service that can establish outbound and inbound connections on different ports and protocols. It is also a popular tool for network debugging.

Socat can create encrypted connections using the Diffie-Hellman (DH) key exchange mechanism, which fundamentally relies on a prime number to derive the shared secrets for key exchanges. It turns out that the 1024-bit DH parameter used by Socat was not actually a prime number.

To read this article in full or to leave a comment, please click here