DTX Manchester DTX Manchester
  • About Us
Tuesday, 26 January, 2021
IT Security Guru
CTX Manchester 2020 banner ad
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Fresh OpenSSL flaw "will have far less impact than Heartbleed"

by The Gurus
June 6, 2014
in Editor's News
Share on FacebookShare on Twitter

Around two months after the OpenSSL flaw “Heartbleed” shook the internet’s privacy foundations, new vulnerabilities have been discovered in the protocol.
 
According to an advisory, an attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.
 
While still serious, the attack can only be performed between a vulnerable client and server. The flaw was discovered by Kikuchi Masashi of Lepidum, who said in his advisory that the problem is that OpenSSL accepts ChangeCipherSpec inappropriately during a handshake, and this bug has existed since the very first release of OpenSSL.
 
He said: “OpenSSL sends ChangeCipherSpec in exact timing itself. However, it accepts ChangeCipherSpec at other timings when receiving. Attackers can exploit this behaviour so that they can decrypt and/or modify data in the communication channel.
 
“The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation. If the reviewers had enough experiences, they should have been verified OpenSSL code in the same way they do their own code. They could have detected the problem.”
 
Ivan Ristic, director of Qualys SSL Labs, said that the vulnerabilities are serious, but will have far less impact than Heartbleed. “The main vulnerability (CVE-2014-0224) is a man-in-the-middle type scenario between two machines running OpenSSL that allows for the decryption of the data sent; in most of our typical communication (browser web server) we do not have two machines running OpenSSL, because the browser uses a different SSL library.
 
“So while there are certainly situations where OpenSSL talks to OpenSSL, for example in command line tools, server to server communication and also in Android browsers (Chrome and native), which use OpenSSL, the conditions necessary for exploitation are quite a bit harder to find.”
 
Steve Pate, chief architect at HyTrust, said he was not surprised that there are a number of newly reported flaws in OpenSSL. “After the Heartbleed bug was announced, one thing we could guarantee was that all eyes would be on the OpenSSL source code, scrutinizing it for issues,” he said.
 
“I personally feel encouraged that the community has risen to the challenge to ensure that OpenSSL becomes a better product and that issues are found and fixed quickly. What concerns me more is the length of time that vendors will take to apply the patches. As with Heartbleed, we can guarantee that the security conscious vendors on the web will move fast. However, how many servers and routers are still out there vulnerable to the Heartbleed bug, never mind these new vulnerabilities.”

0 0 vote
Article Rating
FacebookTweetLinkedIn
Tags: FlawOpen SourceOpenSSLVulnerability
ShareTweetShare
Previous Post

June patch Tuesday will see long-standing IE bug fixed

Next Post

Cyber crime Remains Growth Industry With $445 Billion Lost

Subscribe
Notify of
guest
guest
0 Comments
Inline Feedbacks
View all comments

Recent News

Effective ways to prevent payroll fraud

Effective ways to prevent payroll fraud

January 25, 2021
Surveillance Camera on a wall

ADT Technician Watched Customers in their Homes

January 25, 2021
Up close image of a hand on a keyboard.

Hackers exploit U.S. Agency Supply Chain

January 25, 2021
Ripped paper heart

2.28 million MeetMindful users’ data leaked by hacker

January 25, 2021

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

More information
wpDiscuz
0
0
Would love your thoughts, please comment.x
()
x
| Reply
Privacy Settings / PENDINGGDPR Compliance

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Accept