New York Times
POSTED: 9:26 p.m. HST, Jun 5, 2014
LAST UPDATED: 6:08 a.m. HST, Jun 6, 2014
Security experts are still trying to plug the hole left by Heartbleed, the bug found in the widely used OpenSSL encryption protocol, with some 12,000 popular domains still vulnerable, according to AVG Virus Labs.
Now they have something else to worry about. On Thursday, the OpenSSL Foundation warned that a decade-old bug allows so-called man-in-the-middle attacks on traffic encrypted with OpenSSL. The advisory warns users that someone could use the bug to intercept an encrypted connection, decrypt it and read the traffic.
OpenSSL users are advised to deploy a patch and upgrade to the latest version of OpenSSL software. The bug was discovered by Masashi Kikuchi, a Japanese researcher at Lepidum, a software firm.
Unlike Heartbleed, which could be used to directly exploit any server using OpenSSL, this new bug requires that the attacker be located between two computers communicating. A likely target, for example, would be someone using an airport's public Wi-Fi.
The new bug was introduced into OpenSSL when it was released in 1998, more than 10 years before Heartbleed, which was introduced in a code update on New Year's Eve in 2011.
That the new bug went undetected for so long is another black mark for OpenSSL management. The encryption method is open source, meaning it can be reviewed and updated by anyone. Because of that, it is considered more secure and more trustworthy than proprietary code vetted by just one company's engineers.
But, in reality, OpenSSL had only one full-time developer and three "core" volunteer programmers in Europe and operated on a budget of $2,000 in annual donations. This, despite the fact that OpenSSL is used to encrypt the majority of the world's web servers and is widely used by technology companies such as Amazon and Cisco.
Following the Heartbleed discovery, major companies, including Amazon, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, Qualcomm and VMware, each pledged $100,000 a year over the next three years to the Core Infrastructure Initiative, a new open source initiative organized by the Linux Foundation to support crucial open-source infrastructure, like OpenSSL.