Friday, July 25, 2014         

 Print   Email   Comment | View 2 Comments   Most Popular   Save   Post   Retweet

New bug found in popular OpenSSL encryption

By Nicole Perlroth

New York Times

LAST UPDATED: 06:08 a.m. HST, Jun 06, 2014

Security experts are still trying to plug the hole left by Heartbleed, the bug found in the widely used OpenSSL encryption protocol, with some 12,000 popular domains still vulnerable, according to AVG Virus Labs.

Now they have something else to worry about. On Thursday, the OpenSSL Foundation warned that a decade-old bug allows so-called man-in-the-middle attacks on traffic encrypted with OpenSSL. The advisory warns users that someone could use the bug to intercept an encrypted connection, decrypt it and read the traffic.

OpenSSL users are advised to deploy a patch and upgrade to the latest version of OpenSSL software. The bug was discovered by Masashi Kikuchi, a Japanese researcher at Lepidum, a software firm.

Unlike Heartbleed, which could be used to directly exploit any server using OpenSSL, this new bug requires that the attacker be located between two computers communicating. A likely target, for example, would be someone using an airport's public Wi-Fi.

The new bug was introduced into OpenSSL when it was released in 1998, more than 10 years before Heartbleed, which was introduced in a code update on New Year's Eve in 2011.

That the new bug went undetected for so long is another black mark for OpenSSL management. The encryption method is open source, meaning it can be reviewed and updated by anyone. Because of that, it is considered more secure and more trustworthy than proprietary code vetted by just one company's engineers.

But, in reality, OpenSSL had only one full-time developer and three "core" volunteer programmers in Europe and operated on a budget of $2,000 in annual donations. This, despite the fact that OpenSSL is used to encrypt the majority of the world's web servers and is widely used by technology companies such as Amazon and Cisco.

Following the Heartbleed discovery, major companies, including Amazon, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, Qualcomm and VMware, each pledged $100,000 a year over the next three years to the Core Infrastructure Initiative, a new open source initiative organized by the Linux Foundation to support crucial open-source infrastructure, like OpenSSL.

 Print   Email   Comment | View 2 Comments   Most Popular   Save   Post   Retweet

You must be subscribed to participate in discussions
By participating in online discussions you acknowledge that you have agreed to the TERMS OF SERVICE. An insightful discussion of ideas and viewpoints is encouraged, but comments must be civil and in good taste, with no personal attacks. Because only subscribers are allowed to comment, we have your personal information and are able to contact you. If your comments are inappropriate, you may receive a warning, and if you persist with such comments you may be banned from posting. To report comments that you believe do not follow our guidelines, email commentfeedback@staradvertiser.com.
Leave a comment

Please login to leave a comment.
manakuke wrote:
on June 6,2014 | 03:12AM
saveparadise wrote:
The internet will never be totally secure as long as there are criminals willing to exploit it. You must rid the world of criminals or make sure they cannot profit from the entities involved.
on June 6,2014 | 09:01AM
Breaking News
Political Radar
Wilhelmina Rise, et al.

Court Sense
Cold War

Political Radar
Climate change

Island Crafters

Warrior Beat
Empty pit

Political Radar

Political Radar
`Progressive hero’