New OpenSSL Man-in-the-Middle Flaw Affects All Clients

New OpenSSL Man-in-the-Middle Flaw Affects All Clients 217

Posted by timothy on Thursday June 05, 2014 @10:45AM from the disclosure-of-diclosure dept.

Trailrunner7 (1100399) writes 'There is a new, remotely exploitable vulnerability in OpenSSL that could enable an attacker to intercept and decrypt traffic between vulnerable clients and servers. The flaw affects all versions of the OpenSSL client and versions 1.0.1 and 1.0.2-beta1 of the server software. The new vulnerability could only be exploited to decrypt traffic between a vulnerable client and a vulnerable server, and the attacker would need to have a man-in-the-middle position on a network in order to do so. That's not an insignificant set of conditions that must be present for a successful attack, but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought, gaining a MITM position is not an insurmountable hurdle. Researchers who have looked at the vulnerable piece of code say that it appears to have existed, nearly unchanged, in the OpenSSL source since 1998.'

New OpenSSL Man-in-the-Middle Flaw Affects All Clients

This discussion has been archived. No new comments can be posted.

Search 217 Comments Log In/Create an Account

Comments Filter:

Re:This is awesome (Score:1, Interesting)

by smooth wombat ( 796938 ) writes: on Thursday June 05, 2014 @11:07AM (#47171971) Journal

If open source has one strength, it's that when many skilled eyes DO converge on the code

Keep making excuses for why open source should get a pass on something like this. The code has been around for 16 years. How many eyes have looked at the code since it was put out?

Open source is no better or worse than closed source. People just like to think it is because of situations like this when someone shouts, "I found a flaw!" but completely ignore the time the problem has existed.

If open source is so great, this flaw wouldn't have been around this long, would it?

Bet the NSA knew about this... (Score:2, Interesting)

by GameboyRMH ( 1153867 ) writes: <`gameboyrmh' `at' `gmail.com'> on Thursday June 05, 2014 @11:10AM (#47171989) Journal

...and it was like ten Christmases to them. They're probably really down that they just lost one of their best toys.

Re:This is awesome (Score:4, Interesting)

by mean pun ( 717227 ) writes: on Thursday June 05, 2014 @11:24AM (#47172069)

I agree that 16 years for a fundamental flaw like this is bad, but how can you possibly know that closed source is no worse (or no better) than this? Closed-source software vendors are usually not very open about these problems.

Re: Key phrase of vulnerability : (Score:2, Interesting)

by Anonymous Coward writes: on Thursday June 05, 2014 @11:29AM (#47172127)

No, we just need software that isn't a pile of accreted crap.
Cue LibreSSL. Not a moment too soon. Those guys should be paid to do ALL critical security software, because when they do something, they do it RIGHT.

Re:Versions (Score:2, Interesting)

by Anonymous Coward writes: on Thursday June 05, 2014 @12:12PM (#47172483)

especially after everyone panic-upgraded after heartbleed.

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

New OpenSSL Man-in-the-Middle Flaw Affects All Clients 217

New OpenSSL Man-in-the-Middle Flaw Affects All Clients More Login

New OpenSSL Man-in-the-Middle Flaw Affects All Clients

Re:This is awesome (Score:1, Interesting)

Bet the NSA knew about this... (Score:2, Interesting)

Re:This is awesome (Score:4, Interesting)

Re: Key phrase of vulnerability : (Score:2, Interesting)

Re:Versions (Score:2, Interesting)

Related Links Top of the: day, week, month.

Slashdot Top Deals

Slashdot