New OpenSSL Man-in-the-Middle Flaw Affects All Clients

Trailrunner7 (1100399) writes 'There is a new, remotely exploitable vulnerability in OpenSSL that could enable an attacker to intercept and decrypt traffic between vulnerable clients and servers. The flaw affects all versions of the OpenSSL client and versions 1.0.1 and 1.0.2-beta1 of the server software. The new vulnerability could only be exploited to decrypt traffic between a vulnerable client and a vulnerable server, and the attacker would need to have a man-in-the-middle position on a network in order to do so. That's not an insignificant set of conditions that must be present for a successful attack, but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought, gaining a MITM position is not an insurmountable hurdle. Researchers who have looked at the vulnerable piece of code say that it appears to have existed, nearly unchanged, in the OpenSSL source since 1998.'

Re:This is awesome

OpenSSL design is fundamentally flawed. Bug fixes will probably introduce more bugs in many cases.

Well, the LibreSSL project is ripping out much of the code and rebuilding it: http://www.libressl.org/

I mean, OpenSSL will use your actual private key as a source of entropy. How messed up is that?

Ummm, your private key should be randomly generated, otherwise public key encryption doesn't work too well.

But your private key doesn't change, so that isn't a good thing to do. Fixing the entropy is one of the many things LibreSSL is doing: http://www.openbsd.org/papers/bsdcan14-libressl/mgp00016.html