A new report launched by OpenSSL has revealed another security flaw within the coding that allows for Man In The Middle (MITM) attacks that could potentially decrypt traffic going between an effected client and server.
Just a couple of months ago we had the Heartbleed Bug, a massive vulnerability that had been exploited for years. It allowed potential back doors to be open in every website using OpenSSL (pretty much all of them). A fact that was allegedly regularly taken advantage of, including by the NSA.
Now, we have another problem, albeit not as big as the last. Also in OpenSSL, a MITM attack could allow the attacker to trace and decrypt traffic going between the targeted client and the server.
In a time when encryption is presented as the end all and be all of internet security and privacy, this is an alarming fault. Information could be stripped of the encryption and looked at just as if it had never been protected, at all.
What does this mean for you? For most, probably nothing. The vulnerability has been patched, and open programs using an outdated version of OpenSSL is likely to face continued issues.
But what it does point out is the continued need for exposing such bugs and glitches within OpenSSL. Being the predominant protocol used on the web, and having held that status for years, the lack of oversight that had been afforded it is a shocking point, indeed.
In addition to this vulnerability, several others have been found. However, they are related to potential Denial of Service (DoS) attacks rather than a more alarming privacy issue, and haven’t raised as many hackles.
If you use an OpenSSL server for a program, update. If not, don’t worry about it for now. What might have been exploited is hard to say, but the majority of browsers don’t use the version that needed the patch. So it is unlikely you will need to worry as you did with the much larger, and much wider reaching, Heartbleed Bug.