OpenSSL bug allows hackers to see private communication

Newly discovered bug in OpenSSL could allow an attacker to see private communication

The world hasn’t yet recovered from the Heartbleed vulnerability in OpenSSL and now there’s news of a new bug affecting the popular open-source security package. This recently announced, and already patched, exploit could allow an attacker to see and modify traffic between an OpenSSL client and an OpenSSL server. This sounds worse than it really is. The extent of the issue is extremely limited because we’re talking about specific versions of OpenSSL server. Plus, you need to be using that same server software on a client application, and the attack itself is quite a complicated affair.

The vulnerability, originally discovered in May by researcher Masashi Kikuchi, could allow for an attacker to lower the security of the communication between a client and a server using OpenSSL. In fact, this point is key: the package has to be present on both ends and then the attacker has to use what’s known as a “man-in-the-middle” attack, something not necessarily easy to do. For the uninitiated, a man in the middle attack could be accomplished through a bit of compromised hardware — like, say a router in your local coffee shop — that strips the encryption from the information.

The bug affects all client versions of OpenSSL and servers on version 1.0.1 or 1.0.2-beta1, though it is recommended to update earlier versions as a precaution. The biggest problem is that we don’t really know how many of our applications are using this security package, as this information is not normally disclosed. That said, Adam Langley, a security engineer from Google, confirmed that desktop browsers such as “IE, Firefox, Chrome on Desktop and iOS, Safari, etc.” are not vulnerable, as they don’t use OpenSSL.

 

Source: Engadget - Read the full article here

Author: Daily Tech Whip

This article is part of our 'News Tiles' service. The site is currently in Beta. When it is fully operational you will be able to search through and arrange the 'Tiles' to display a keyword, product or technology over your chosen time period. For example you would be able to display all of the leading tech articles on the new Kindle Fire, in one spot in real time. You will also have access to our own original reporting and analysis as well as a polished place to post your own thoughts & reviews here, amongst the Daily Tech Whip Community. Please let us know if you have any feedback via the contact form or via Twitter. Don't forget to come back next week and see our full site and claim your name and your own free tech blog.

Share This Post On