Slashdot Mirror

← Back to Stories (view on slashdot.org)

New OpenSSL Man-in-the-Middle Flaw Affects All Clients

Posted by timothy on from the disclosure-of-diclosure dept.

Trailrunner7 (1100399) writes 'There is a new, remotely exploitable vulnerability in OpenSSL that could enable an attacker to intercept and decrypt traffic between vulnerable clients and servers. The flaw affects all versions of the OpenSSL client and versions 1.0.1 and 1.0.2-beta1 of the server software. The new vulnerability could only be exploited to decrypt traffic between a vulnerable client and a vulnerable server, and the attacker would need to have a man-in-the-middle position on a network in order to do so. That's not an insignificant set of conditions that must be present for a successful attack, but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought, gaining a MITM position is not an insurmountable hurdle. Researchers who have looked at the vulnerable piece of code say that it appears to have existed, nearly unchanged, in the OpenSSL source since 1998.'

3 of 217 comments (clear)

  1. Re:This is awesome by mean+pun · · Score: 3, Interesting

    I agree that 16 years for a fundamental flaw like this is bad, but how can you possibly know that closed source is no worse (or no better) than this? Closed-source software vendors are usually not very open about these problems.

  2. Re: Key phrase of vulnerability : by Anonymous Coward · · Score: 2, Interesting

    No, we just need software that isn't a pile of accreted crap.

    Cue LibreSSL. Not a moment too soon. Those guys should be paid to do ALL critical security software, because when they do something, they do it RIGHT.

  3. Re:Versions by Anonymous Coward · · Score: 2, Interesting

    especially after everyone panic-upgraded after heartbleed.