Keep up with the news by installing RT’s extension for . Never miss a story with this clean and simple app that delivers the latest headlines to you.

 

Another Heartbleed? OpenSSL encryption toolkit vulnerable again

Published time: June 05, 2014 20:46
Reuters / Mal Langsdon

Reuters / Mal Langsdon

Security experts have spotted another glaring flaw in the OpenSSL encryption library, rekindling fears that have barely subsided since the Heartbleed bug was spotted in the same protocol earlier this year.

OpenSSL said on Thursday this week that a glitch had been discovered that, if exploited properly, could allow a well-skilled hacker to “decrypt and modify” web traffic assumed to be protected with the popular encryption method.

“An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server,” reads an advisory issued on Thursday begins. “The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.”

"On the surface, the fact that the vulnerability requires man-in-the-middle positioning for exploitation is limiting, but as better tools are developed, automation might enable easy mass exploitation on Wi-Fi networks and similar environments," warned Ivan Ristic, the director of engineering at vulnerability management vendor Qualys, in a statement published by CRN.

Lepidum — the software developer that discovered the latest error — described their finding as a “serious vulnerability” that could allow for eavesdropping on web communications sent between browsers, email clients and other internet-ready mediums if exploited properly.

OpenSSL, a free and open source library of code that lets users decrypt and encrypt communications, made headlines in April when it was revealed that an error in the code had existed for years, in turn affecting a major chunk of the internet. That bug — Heartbleed — was believed to be one of the biggest of its kind ever.

“Unlike the Heartbleed flaw, which allowed anyone to directly attack any server using OpenSSL, the attacker exploiting this newly discovered bug would have to be located somewhere between the two computers communicating,” tech reporter Andy Greenberg wrote for Wired on Thursday. “But that still leaves open the possibility that anyone from an eavesdropper on your local Starbucks’ network to the NSA to strip away your Web connection’s encryption before it’s even initialized.”

Thursday’s discovery comes one-year-to-the-day after leaked the first article was published relying on leaked documentation provided by Edward Snowden, a former National Security Agency contractor who has since supplied journalists with a trove of sensitive materials concerning the United States intelligence community’s tactics with regards to bypassing and even sabotaging popular encryption methods meant to protect private communication. To commemorate the anniversary, a worldwide campaign on Thursday — Reset the Net — aimed to deliver encryption tools and other privacy-protecting features to novice users.

Comments (3)

 

Magda Mb J 06.06.2014 09:29

yes, but obviously didnt do good job?? or did i?? as these things can leave wonderin how ta do this that, n rest a jargon throw in..doh a jeer deer...

 

mergon 06.06.2014 09:10

I blame the NSA@GCHQ for the computer fraud if was not for them designing the system bugs on a link by link basis we would have the amount of fraud we have today ,how many people worked for security agencies and companies/corporatio ns and realised that it is easy to steal some else,s money and then passed that information on ?
Agents in the field can get cash from a cash machine with out a legitiment account , all systems are gated its just a matter of knowing which gate to use !

 

mergon 06.06.2014 09:02

Ever tried to get rid of Mc Afee off of your computer ?
you have to dredge right down into the dark places to get it out .like some other stuff you download that gets enbedded into your system ,its amazing what you find down in the depths of your machine !

Add comment

Authorization required for adding comments

Register or

Name

Password

Show password

Register

or Register

Request a new password

Send

or Register

To complete a registration check
your Email:

OK

or Register

A password has been sent to your email address

Edit profile

X

Name

New password

Retype new password

Current password

Save

Cancel

Follow us

Follow us