If you’ve ever used the web to do online banking or buy something online, you didn’t know it but your transaction was likely being secured using a protocol called OpenSSL. A lot of sites use it. And that’s going to be a problem as there’s a serious flaw in OpenSSL that puts you at risk. Here’s the bad news from ZDNet:
The flaw can potentially be used to reveal not just the contents of a secured-message, such as a credit-card transaction over HTTPS, but the primary and secondary SSL keys themselves. This data could then, in theory, be used as a skeleton keys to bypass secure servers without leaving a trace that a site had been hacked.
This bug not a problem with OpenSSL’s inherent design. It’s an implementation problem. That is to say it the result of a programming mistake. There is already a fix available for the problem for the 1.01 program in OpenSSL 1.0.1g. Work is proceeding rapidly for a pair of the 1.02-beta line.
That isn’t good. But the bad news doesn’t end there:
That’s bad enough. but what really has some operating system and security companies ticked is that OpenSSL and others were hard at work at delivering the patched versions that would have limited the problem’s possible use by blackhat hackers, CloudFlare, a Web security company, revealed in a blog posting details about the security hole and that they’ve fixed the bug. They appear to have used the methods described by OpenSSL. Unfortunately, for everyone else, these methods were not ready for broad deployment.
According to one senior security developer at a major operating system company, “The main problem with what CloudFlare did was that they jumped the gun before the FIRST AVAILABLE patches were available to users. You don’t open the door and wave a red flag before the patches are ready to go.”
That means every evil hacker is trying to exploit this now. That means everyone from Amazon to your bank is rushing to fix this or mitigate this. You as the end user can do nothing to protect yourself. That’s not a good place to be. Here’s hoping that everyone who is affected by this fixes this quickly once patches are available.
Like this:
Like Loading...
Related
This entry was posted on April 8, 2014 at 3:43 pm and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Critical Flaw With Web Security Protocol Exposed
If you’ve ever used the web to do online banking or buy something online, you didn’t know it but your transaction was likely being secured using a protocol called OpenSSL. A lot of sites use it. And that’s going to be a problem as there’s a serious flaw in OpenSSL that puts you at risk. Here’s the bad news from ZDNet:
The flaw can potentially be used to reveal not just the contents of a secured-message, such as a credit-card transaction over HTTPS, but the primary and secondary SSL keys themselves. This data could then, in theory, be used as a skeleton keys to bypass secure servers without leaving a trace that a site had been hacked.
This bug not a problem with OpenSSL’s inherent design. It’s an implementation problem. That is to say it the result of a programming mistake. There is already a fix available for the problem for the 1.01 program in OpenSSL 1.0.1g. Work is proceeding rapidly for a pair of the 1.02-beta line.
That isn’t good. But the bad news doesn’t end there:
That’s bad enough. but what really has some operating system and security companies ticked is that OpenSSL and others were hard at work at delivering the patched versions that would have limited the problem’s possible use by blackhat hackers, CloudFlare, a Web security company, revealed in a blog posting details about the security hole and that they’ve fixed the bug. They appear to have used the methods described by OpenSSL. Unfortunately, for everyone else, these methods were not ready for broad deployment.
According to one senior security developer at a major operating system company, “The main problem with what CloudFlare did was that they jumped the gun before the FIRST AVAILABLE patches were available to users. You don’t open the door and wave a red flag before the patches are ready to go.”
That means every evil hacker is trying to exploit this now. That means everyone from Amazon to your bank is rushing to fix this or mitigate this. You as the end user can do nothing to protect yourself. That’s not a good place to be. Here’s hoping that everyone who is affected by this fixes this quickly once patches are available.
Share this:
Like this:
Related
This entry was posted on April 8, 2014 at 3:43 pm and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.