Latest in Exploit

Image credit:

OpenSSL bug allows hackers to see private communication

86 Shares
Share
Tweet
Share
Save

Sponsored Links

The world hasn't yet recovered from the Heartbleed vulnerability in OpenSSL and now there's news of a new bug affecting the popular open-source security package. This recently announced, and already patched, exploit could allow an attacker to see and modify traffic between an OpenSSL client and an OpenSSL server. This sounds worse than it really is. The extent of the issue is extremely limited because we're talking about specific versions of OpenSSL server. Plus, you need to be using that same server software on a client application, and the attack itself is quite a complicated affair.

The vulnerability, originally discovered in May by researcher Masashi Kikuchi, could allow for an attacker to lower the security of the communication between a client and a server using OpenSSL. In fact, this point is key: the package has to be present on both ends and then the attacker has to use what's known as a "man-in-the-middle" attack, something not necessarily easy to do. For the uninitiated, a man in the middle attack could be accomplished through a bit of compromised hardware -- like, say a router in your local coffee shop -- that strips the encryption from the information.

The bug affects all client versions of OpenSSL and servers on version 1.0.1 or 1.0.2-beta1, though it is recommended to update earlier versions as a precaution. The biggest problem is that we don't really know how many of our applications are using this security package, as this information is not normally disclosed. That said, Adam Langley, a security engineer from Google, confirmed that desktop browsers such as "IE, Firefox, Chrome on Desktop and iOS, Safari, etc." are not vulnerable, as they don't use OpenSSL.

The problem is serious if all the required variables are in place, but you shouldn't worry about it too much. That is, if you're not a systems administrator. And you shouldn't even worry about using software with OpenSSL in general. You may be surprised to hear this after the Heartbleed issue and this new problem, but the fact is that this latest exploit was discovered because there are more eyes reviewing the OpenSSL code, which means that the software is getting even better and safer.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
86 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's Guide to Privacy

Engadget's Guide to Privacy

View
FCC creates two 'innovation zones' to test next-gen wireless

FCC creates two 'innovation zones' to test next-gen wireless

View
‘Call of Duty’ comes to mobile on October 1st

‘Call of Duty’ comes to mobile on October 1st

View
AT&T reportedly considers offloading its DirecTV satellite unit

AT&T reportedly considers offloading its DirecTV satellite unit

View
T-Mobile’s Sprint merger is opposed by 18 state attorneys general

T-Mobile’s Sprint merger is opposed by 18 state attorneys general

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr