Slashdot Mirror

← Back to Stories (view on slashdot.org)

New OpenSSL Man-in-the-Middle Flaw Affects All Clients

Posted by timothy on from the disclosure-of-diclosure dept.

Trailrunner7 (1100399) writes 'There is a new, remotely exploitable vulnerability in OpenSSL that could enable an attacker to intercept and decrypt traffic between vulnerable clients and servers. The flaw affects all versions of the OpenSSL client and versions 1.0.1 and 1.0.2-beta1 of the server software. The new vulnerability could only be exploited to decrypt traffic between a vulnerable client and a vulnerable server, and the attacker would need to have a man-in-the-middle position on a network in order to do so. That's not an insignificant set of conditions that must be present for a successful attack, but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought, gaining a MITM position is not an insurmountable hurdle. Researchers who have looked at the vulnerable piece of code say that it appears to have existed, nearly unchanged, in the OpenSSL source since 1998.'

5 of 217 comments (clear)

  1. Re:This is awesome by smooth+wombat · · Score: 1, Interesting

    If open source has one strength, it's that when many skilled eyes DO converge on the code

    Keep making excuses for why open source should get a pass on something like this. The code has been around for 16 years. How many eyes have looked at the code since it was put out?

    Open source is no better or worse than closed source. People just like to think it is because of situations like this when someone shouts, "I found a flaw!" but completely ignore the time the problem has existed.

    If open source is so great, this flaw wouldn't have been around this long, would it?

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
  2. Bet the NSA knew about this... by GameboyRMH · · Score: 1, Interesting

    ...and it was like ten Christmases to them. They're probably really down that they just lost one of their best toys.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  3. Re:This is awesome by mean+pun · · Score: 3, Interesting

    I agree that 16 years for a fundamental flaw like this is bad, but how can you possibly know that closed source is no worse (or no better) than this? Closed-source software vendors are usually not very open about these problems.

  4. Re: Key phrase of vulnerability : by Anonymous Coward · · Score: 2, Interesting

    No, we just need software that isn't a pile of accreted crap.

    Cue LibreSSL. Not a moment too soon. Those guys should be paid to do ALL critical security software, because when they do something, they do it RIGHT.

  5. Re:Versions by Anonymous Coward · · Score: 2, Interesting

    especially after everyone panic-upgraded after heartbleed.