April 28, 2016 | 87° | Check Traffic

Top News

New bug found in popular OpenSSL encryption

  • COURTESY OPENSSL.ORGOn Thursday, the OpenSSL Foundation warned that a decade-old bug allows so-called man-in-the-middle attacks on traffic encrypted with OpenSSL.
    COURTESY OPENSSL.ORG
    On Thursday, the OpenSSL Foundation warned that a decade-old bug allows so-called man-in-the-middle attacks on traffic encrypted with OpenSSL.

Security experts are still trying to plug the hole left by Heartbleed, the bug found in the widely used OpenSSL encryption protocol, with some 12,000 popular domains still vulnerable, according to AVG Virus Labs.

Now they have something else to worry about. On Thursday, the OpenSSL Foundation warned that a decade-old bug allows so-called man-in-the-middle attacks on traffic encrypted with OpenSSL. The advisory warns users that someone could use the bug to intercept an encrypted connection, decrypt it and read the traffic.

OpenSSL users are advised to deploy a patch and upgrade to the latest version of OpenSSL software. The bug was discovered by Masashi Kikuchi, a Japanese researcher at Lepidum, a software firm.

Unlike Heartbleed, which could be used to directly exploit any server using OpenSSL, this new bug requires that the attacker be located between two computers communicating. A likely target, for example, would be someone using an airport’s public Wi-Fi.

The new bug was introduced into OpenSSL when it was released in 1998, more than 10 years before Heartbleed, which was introduced in a code update on New Year’s Eve in 2011.

That the new bug went undetected for so long is another black mark for OpenSSL management. The encryption method is open source, meaning it can be reviewed and updated by anyone. Because of that, it is considered more secure and more trustworthy than proprietary code vetted by just one company’s engineers.

But, in reality, OpenSSL had only one full-time developer and three "core" volunteer programmers in Europe and operated on a budget of $2,000 in annual donations. This, despite the fact that OpenSSL is used to encrypt the majority of the world’s web servers and is widely used by technology companies such as Amazon and Cisco.

Following the Heartbleed discovery, major companies, including Amazon, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, Qualcomm and VMware, each pledged $100,000 a year over the next three years to the Core Infrastructure Initiative, a new open source initiative organized by the Linux Foundation to support crucial open-source infrastructure, like OpenSSL.

No comments
By participating in online discussions you acknowledge that you have agreed to the TERMS OF SERVICE. An insightful discussion of ideas and viewpoints is encouraged, but comments must be civil and in good taste, with no personal attacks. Because only subscribers are allowed to comment, we have your personal information and are able to contact you. If your comments are inappropriate, you may be banned from posting. To report comments that you believe do not follow our guidelines, email commentfeedback@staradvertiser.com.