Slashdot Mirror
New OpenSSL Man-in-the-Middle Flaw Affects All Clients
Trailrunner7 (1100399) writes 'There is a new, remotely exploitable vulnerability in OpenSSL that could enable an attacker to intercept and decrypt traffic between vulnerable clients and servers. The flaw affects all versions of the OpenSSL client and versions 1.0.1 and 1.0.2-beta1 of the server software. The new vulnerability could only be exploited to decrypt traffic between a vulnerable client and a vulnerable server, and the attacker would need to have a man-in-the-middle position on a network in order to do so. That's not an insignificant set of conditions that must be present for a successful attack, but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought, gaining a MITM position is not an insurmountable hurdle. Researchers who have looked at the vulnerable piece of code say that it appears to have existed, nearly unchanged, in the OpenSSL source since 1998.'
"but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought"
As will always be. Any attempt at security by involving the end user is a recipe for failure.
We're doomed.
Faster! Faster! Faster would be better!
OpenSSL design is fundamentally flawed. Bug fixes will probably introduce more bugs in many cases.
Well, the LibreSSL project is ripping out much of the code and rebuilding it: http://www.libressl.org/
I mean, OpenSSL will use your actual private key as a source of entropy. How messed up is that?
Ummm, your private key should be randomly generated, otherwise public key encryption doesn't work too well.
But your private key doesn't change, so that isn't a good thing to do. Fixing the entropy is one of the many things LibreSSL is doing: http://www.openbsd.org/papers/bsdcan14-libressl/mgp00016.html
open source has one strength, it's that when many skilled eyes DO converge on the code it can be tested and fixed far more quickly
Did you even read the summary? They believe that this flaw has existed since 1998. You have a very strange definition of "quickly" if 16 years falls into that category.
I'm all for OSS, but people like you that continue to trot out this tripe aren't helping it. The benefit isn't that there all these mythical "skilled eyes" looking at the code, it's that you can look at the code.
I agree that 16 years for a fundamental flaw like this is bad, but how can you possibly know that closed source is no worse (or no better) than this? Closed-source software vendors are usually not very open about these problems.
I agree 100%. The only reason this flaw is known is because the source code was available to review. Obviously, it would have been better if this were reviewed and caught sooner, but that ignores the fact that it was only caught because the source code was available. That seems to be a big plus.
Also what is interesting is that even though the flaw has been there for 16 years, there are no known exploits of it. That would seem to dismiss the notion that open source security software is problematic because bad people can find exploits.
Of course another explanation is that the flaw isn't any such thing and was intentional and because it was open source, certain government agencies will now lose the ability to exploit it.
Regardless of how you look at it, it seems to be an advantage to open source.
If you've been following OpenSSL Heartbleed coverage, you know that the project has only had one full-time developer working on it. Since Heartbleed (a recent discovery, you'll recall) they've discovered more holes to close such as this one. I'd call less than two months since more eyes started staring at OpenSSL "quickly."
LibreSSL does not yet have any users.
So it is 100% save!! Yay!! ;-)