OpenSSL Patches Critical Certificate Forgery Bug

Posted by timothy on Thursday July 9, 2015 @03:40AM from the quick-fixes-are-good-fixes dept.

msm1267 writes: The mystery OpenSSL patch released today addresses a critical certificate validation issue where anyone with an untrusted TLS certificate can become a Certificate Authority. While serious, the good news according to the OpenSSL Project is that few downstream organizations have deployed the June update where the bug was introduced. From the linked piece: The vulnerability allows an attacker with an untrusted TLS certificate to be treated as a certificate authority and spoof another website. Attackers can use this scenario to redirect traffic, set up man-in-the-middle attacks, phishing schemes and anything else that compromises supposedly encrypted traffic. [Rich Salz, one of the developers] said there are no reports of public exploits.

1 of 45 comments (clear)

Min score:

Reason:

Sort:

Compromise Window by xdor · 2015-07-09 03:51 · Score: 1, Funny

Apparently the NSA/FBI needed collect someone's encrypted data in the last year. Now that they have what they want, they are sewing it back up again.
Though with the NSA's purported computing capability and back doors it doesn't seem like they would need this -- unless some lesser player on the intelligence field got this in -- but then I'm positing corroboration with the OpenSSL folks, so it seems like only a government would be capable of coercing this kind of flaw. But with the underhanded C contest, maybe someone at OpenSSL would make a "mistake" for the right price.