The open-source OpenSSL cryptography project, still recovering in the wake of the Heartbleed vulnerability, has discovered more security vulnerabilities in its code - including a serious flaw that can allow for man-in-the-middle (MITM) attacks.
The OpenSSL project has been hit by the discovery of yet another major security vulnerability, this time dating back to its very first release.
Publicly disclosed back in April, Heartbleed
was the name given to a vulnerability in the widely-used OpenSSL package that allowed an attacker to force a server using OpenSSL for encryption to disclose the contents of its memory. This contents, researchers soon discovered, could include the server's private key - allowing said attacker to decrypt data from other users, or even to pose as the server itself. The flaw was serious enough to trigger a major code review, resulting in enough issues being discovered that the founders of the BSD project announced a fork, dubbed LibreSSL
, designed to address the problems.
Those working on OpenSSL itself have been hard at work too, of course, and have announced a range of fixes in the latest release. One of these, the CCS Injection Vulnerability, is particularly concerning: present, its discoverer claims, since the very first release of OpenSSL, it allows attackers to sit between the client and the server and silently decrypt and re-encrypt data - busting the protection offered by an OpenSSL-encrypted connection wide open.
While the problem has been fixed in the latest releases, it's another serious blow for the OpenSSL project - and for those who claim open-source projects are more secure than their closed-source equivalents by nature of having their source code open to review. While this may be technically true, Heartbleed and its follow-ups have demonstrated one thing clearly: having the code open to review does not improve security unless and until it is reviewed by experts capable of tracking down these types of bugs.
Technical details of the flaw are available from Masashi Kikuchi
, who discovered the issue and reported it to the OpenSSL project in April.