OpenSSL bug allows hackers to see private communication

Sponsored Links

Jose Andrade
June 5, 2014 9:52 PM
OpenSSL bug allows hackers to see private communication

The world hasn't yet recovered from the Heartbleed vulnerability in OpenSSL and now there's news of a new bug affecting the popular open-source security package. This recently announced, and already patched, exploit could allow an attacker to see and modify traffic between an OpenSSL client and an OpenSSL server. This sounds worse than it really is. The extent of the issue is extremely limited because we're talking about specific versions of OpenSSL server. Plus, you need to be using that same server software on a client application, and the attack itself is quite a complicated affair.

The vulnerability, originally discovered in May by researcher Masashi Kikuchi, could allow for an attacker to lower the security of the communication between a client and a server using OpenSSL. In fact, this point is key: the package has to be present on both ends and then the attacker has to use what's known as a "man-in-the-middle" attack, something not necessarily easy to do. For the uninitiated, a man in the middle attack could be accomplished through a bit of compromised hardware -- like, say a router in your local coffee shop -- that strips the encryption from the information.

The bug affects all client versions of OpenSSL and servers on version 1.0.1 or 1.0.2-beta1, though it is recommended to update earlier versions as a precaution. The biggest problem is that we don't really know how many of our applications are using this security package, as this information is not normally disclosed. That said, Adam Langley, a security engineer from Google, confirmed that desktop browsers such as "IE, Firefox, Chrome on Desktop and iOS, Safari, etc." are not vulnerable, as they don't use OpenSSL.

Turn on browser notifications to receive breaking news alerts from Engadget
You can disable notifications at any time in your settings menu.
Not now

The problem is serious if all the required variables are in place, but you shouldn't worry about it too much. That is, if you're not a systems administrator. And you shouldn't even worry about using software with OpenSSL in general. You may be surprised to hear this after the Heartbleed issue and this new problem, but the fact is that this latest exploit was discovered because there are more eyes reviewing the OpenSSL code, which means that the software is getting even better and safer.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Popular on Engadget