bit-tech.net

OpenSSL hit by another major vulnerability

OpenSSL hit by another major vulnerability

The OpenSSL project has been hit by the discovery of yet another major security vulnerability, this time dating back to its very first release.

The open-source OpenSSL cryptography project, still recovering in the wake of the Heartbleed vulnerability, has discovered more security vulnerabilities in its code - including a seriuos flaw that can allow for man-in-the-middle (MITM) attacks.

Publicly disclosed back in April, Heartbleed was the name given to a vulnerability in the widely-used OpenSSL package that allowed an attacker to force a server using OpenSSL for encryption to disclose the contents of its memory. This contents, researchers soon discovered, could include the server's private key - allowing said attacker to decrypt data from other users, or even to pose as the server itself. The flaw was serious enough to trigger a major code review, resulting in enough issues being discovered that the founders of the BSD project announced a fork, dubbed LibreSSL, designed to address the problems.

Those working on OpenSSL itself have been hard at work too, of course, and have announced a range of fixes in the latest release. One of these, the CCS Injection Vulnerability, is particularly concerning: present, its discoverer claims, since the very first release of OpenSSL, it allows attackers to sit between the client and the server and silently decrypt and re-encrypt data - busting the protection offered by an OpenSSL-encrypted connection wide open.

While the problem has been fixed in the latest releases, it's another serious blow for the OpenSSL project - and for those who claim open-source projects are more secure than their closed-source equivalents by nature of having their source code open to review. While this may be technically true, Heartbleed and its follow-ups have demonstrated one thing clearly: having the code open to review does not improve security unless and until it is reviewed by experts capable of tracking down these types of bugs.

Technical details of the flaw are available from Masashi Kikuchi, who discovered the issue and reported it to the OpenSSL project in April.

4 Comments

Discuss in the forums Reply
SinxarKnights 7th June 2014, 14:07 Quote
I personally find this to be a good thing but others may not agree. The more bugs like this that are found the better. It is unfortunate that it took such a major issue (Heartbleed) to draw attention to code corporations has been using for years without actually looking at how it works and if it is reasonably secure.

This whole debacle with OpenSSL had me wondering, why did so many large important sites/networks/corporations use something like this without inspecting the code for vulnerabilities? Did everybody just jump on the bandwagon with the assumption "Company X uses it, so it is safe"? Or are code security and encryption experts like Masashi Kikuchi so few and far between that the likelihood of one of them laying their eyes on the code is almost nill?

I can see nothing but good coming from this. Sure some people might lose faith in OpenSSL (or open source as a whole) but it will be stronger as a result.
Baguette 7th June 2014, 16:14 Quote
The important thing to realise is that these issues are not easily spotted. They are not caused by a lazy this'll-do attitude. The openSSL project gets contributions from some really clever people, but one of the quirks of programming is that you sometimes can't predict exactly how code will work.
Big companies won't inspect the code because it is code that is already tested to be secure, and on such a large scale that spotting a new vulnerability is a very low chance, compared to the cost of testing. Some people do put money into this however, and some companies live solely to test security code!
debs3759 7th June 2014, 17:56 Quote
Things like this make me glad I'm usually skint - there's nothing for anyone to abuse/steal :)
forum_user 7th June 2014, 20:52 Quote
We need secure protection. It is too easy for me (and the world) to download Kali Linux and use the network tools to watch my neighbours' browsing habits.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums