Re-discovered vulnerability in OpenSSL




Two months after a critical security issue in OpenSSL was discovered, is again a dangerous bug in the code came to light. Attackers can perform a man-in-the-middle attack, but only if the victim also uses OpenSSL.

https ssl An attacker could use the vulnerability to enforce weak encryption in OpenSSL connection if he is able to intercept network traffic. Then, the content of the communication may be due to the weak encryption cracked, according to a security bulletin OpenSSL.

The vulnerability can only be used if both the server and the client vulnerable to the bug. As a result, users who use other SSL / TLS software is not vulnerable. Include Firefox, Safari and Chrome desktop version using an SSL / TLS library other than OpenSSL, helps users of those browsers have nothing to fear. The Android version of Chrome reused or OpenSSL.

The OpenSSL team has released an update for the software. Patching the bug lasted a month; May 1 was a Japanese researcher security issue, but the update was not released Thursday.

The bug follows two months of a much more serious flaw in the OpenSSL code was discovered that an attacker could read. small parts of the internal memory of a server with OpenSSL Thus were potentially private keys, unencrypted passwords and other sensitive data on the street. From a test of CloudFlare, a vulnerable server configured and hung on the Internet, found that in practice to be the case.


In: Technology & Gadgets Asked By: [15519 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »