New Open SSL Vulnerability Discovered – Heartbleed Version 2
In April, the world was scrambling to change all of their online passwords after the Heartbleed vulnerability was discovered.
Now another bug has been found in Open SSL, the widely used web encryption software, which means that network eavesdroppers could remove the encryption from supposedly secure connections, and intercept sensitive data.
The flaw allows an attacker to snoop on a connection and insert a command that fools the two parties connecting that they are using a private password, when in fact they are not. The attacker can then decrypt the data that is sent between the two parties. This is known as a “man in the middle” or MITM attack.
The OpenSSL Foundation released a warning last night to its users, urging them to download and install a new patch that will fix the flaw in the software. Open SSL encryption is a security protocol used by a large proportion of the world’s web servers.
Differences to the Heartbleed Flaw
The heartbleed flaw allowed anyone to directly attack any server using OpenSSL. This new flaw is less serious, in the sense that an attacker would have to be positioned between the computer user and the server in order to exploit it, such as someone sharing the same public wi-fi network as you, or someone on your business’ VPN.
VPN’s are a prime target for attackers wishing to exploit this flaw, as they are used where security is a concern so therefore more likely to hold sensitive data.
The flaw is also only present when both computers communicating are running OpenSSL. A lot of internet browsers use different encryption standards to web servers, so the flaw would not affect them. However, it has been suggested that many Android web clients are using the vulnerable code.
Naturally, upon reading of a security vulnerability like this, most people will immediately think of their online banking service and worry that it may not be secure.
Most online banking services, such as those provided by Royal Bank of Scotland (RBS), Natwest, Barclays, Santander, HSBC and Lloyds, do not use Open SSL encryption for their services, so they will not be affected by this flaw. However, it is best to check with your bank to ensure that your passwords are still secure.
A deep rooted problem
It has been reported that this flaw has existed for some 16 years, since the very beginning of OpenSSL encryption. The fact that the Open SSL Foundation is a non profit organisation means that there is less emphasis on security reviews than there might otherwise be, and code reviews have been insufficient. Masashi Kikuchi, the engineer who discovered this latest flaw, suggested that experts writing and working with the code for over 16 years should have discovered the problem.
The fact that this flaw has existed for so long will only ramp up efforts from activist groups to increase online security, privacy and data protection. The ‘Reset the Net’ group is calling for a complete re-write of online security and encryption standards from all major websites, in the hope that others will follow suit, taking into account the security and privacy lessons that have been learned since the web’s inception. This movement came in the wake of the revelation by Edward Snowden that the NSA were exploiting online security flaws in order to snoop and monitor global web activity on a grand scale.