New OpenSSL Man-in-the-Middle Flaw Affects All Clients 217
Trailrunner7 (1100399) writes 'There is a new, remotely exploitable vulnerability in OpenSSL that could enable an attacker to intercept and decrypt traffic between vulnerable clients and servers. The flaw affects all versions of the OpenSSL client and versions 1.0.1 and 1.0.2-beta1 of the server software. The new vulnerability could only be exploited to decrypt traffic between a vulnerable client and a vulnerable server, and the attacker would need to have a man-in-the-middle position on a network in order to do so. That's not an insignificant set of conditions that must be present for a successful attack, but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought, gaining a MITM position is not an insurmountable hurdle. Researchers who have looked at the vulnerable piece of code say that it appears to have existed, nearly unchanged, in the OpenSSL source since 1998.'
Re:This is awesome (Score:1, Interesting)
Keep making excuses for why open source should get a pass on something like this. The code has been around for 16 years. How many eyes have looked at the code since it was put out?
Open source is no better or worse than closed source. People just like to think it is because of situations like this when someone shouts, "I found a flaw!" but completely ignore the time the problem has existed.
If open source is so great, this flaw wouldn't have been around this long, would it?
Bet the NSA knew about this... (Score:2, Interesting)
...and it was like ten Christmases to them. They're probably really down that they just lost one of their best toys.
Re:This is awesome (Score:4, Interesting)
Re: Key phrase of vulnerability : (Score:2, Interesting)
No, we just need software that isn't a pile of accreted crap.
Cue LibreSSL. Not a moment too soon. Those guys should be paid to do ALL critical security software, because when they do something, they do it RIGHT.
Re:Versions (Score:2, Interesting)
especially after everyone panic-upgraded after heartbleed.