14 DAY TRIAL // There’s a new bug in OpenSSL, much to everyone’s dismay, and this one allows attackers to see and modify traffic between an OpenSSL client and an OpenSSL server.
While this may sound terrible, it’s actually nowhere near as bad as Heartbleed was. In fact, the issue is limited because it only affects specific versions of OpenSSL server and you’d need to use the same server software on a client application.
According to the announcement, OpenSSL clients are vulnerable in all versions, but servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1, while users of earlier versions are advised to upgrade as a precaution.
The vulnerability was originally discovered in May by researcher Masashi Kikuchi, and the OpenSSL team has since been developing a patch. The issue could allow an attacker to lower communication security between clients and servers using OpenSSL.
Attacking someone via this vulnerability is quite complicated. The package has to be present on both sides and then the “man-in-the-middle” attack has to be used, where the individual can decrypt and modify traffic from the targeted client and server.
This is good news, because it means that there are a lot of variables that need to align perfectly for such an attack to be possible, which seriously lowers the chances of this happening. It doesn’t mean, however, that it’s impossible.
It is unknown just how many of the applications out there use this security package, but desktop browsers such as Chrome, Firefox, and Internet Explorer should be safe since they don’t use OpenSSL.
On the other hand, it’s unclear whether this vulnerability was exploited and if so, how many times. It looks like the problem has been around for a long time. In fact, according to Adam Lengley, senior staff software engineer at Google, the bug has existed for some 15 years, which indicates that there are some pretty serious implications.
So, if you were planning to be mad about the fact that they took a whole month to issue a patch and make sure that no other security holes were born instead, remember that the vulnerability might have been around for a very long time.
One thing that was made obvious with this new bug report is the fact that more people are looking into OpenSSL and checking it for bugs, which means that it’s getting better and better, which in turn translates into “safer.” The fact that the big tech companies have decided to support the project financially is also quite a good sign.