New OpenSSL Bug Discovered After 16 Years of Hiding On The Web
📅 - A new security bug has been found in the OpenSSL encryption tool, just months after Heartbleed affected thousands of websites across the web.
According to a report from CNN, the SSL/TLS MITM bug allows hackers to look into your Internet session through the “handshake” process between computers and web servers.
“Attackers can exploit this behavior so that they can decrypt and/or modify data in the communication channel,” says a blog post from the researcher who discovered the bug, Masahi Kikuchi.
Kikuchi notes that the vulnerability has been hiding on the web since the very first release of OpenSSl more than 16 years ago.
“The biggest reason why the bug hasn't been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation. If the reviewers had enough experiences, they should have been verified OpenSSL code in the same way they do their own code. They could have detected the problem.”
Currently, Internet Explorer, Firefox, Chrome, and Safari are safe from the SSL/TLS MITM bug, though Android and Chrome for Android are vulnerable.
“We shouldn't be surprised that there are more flaws in OpenSSL,” said researcher at Malwarebytes, Jean Taggart. “Security is a process, not a product.”
According to a report from CNN, the SSL/TLS MITM bug allows hackers to look into your Internet session through the “handshake” process between computers and web servers.
“Attackers can exploit this behavior so that they can decrypt and/or modify data in the communication channel,” says a blog post from the researcher who discovered the bug, Masahi Kikuchi.
Kikuchi notes that the vulnerability has been hiding on the web since the very first release of OpenSSl more than 16 years ago.
“The biggest reason why the bug hasn't been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation. If the reviewers had enough experiences, they should have been verified OpenSSL code in the same way they do their own code. They could have detected the problem.”
Currently, Internet Explorer, Firefox, Chrome, and Safari are safe from the SSL/TLS MITM bug, though Android and Chrome for Android are vulnerable.
“We shouldn't be surprised that there are more flaws in OpenSSL,” said researcher at Malwarebytes, Jean Taggart. “Security is a process, not a product.”
Reads: 1680 | Category: General | Source: TheHN : The Hosting News
Want to add a website news or press release ? Just do it, it's free! Use add web hosting news!
📅 - 
📅 -