Leave a comment

Heartbleed II: This security hole has been wide open for 16 years

What made the Heartbleed security bug so dangerous?

Heartbleed affected OpenSSL, the most widely-used encryption system on the Web. Because OpenSSL is used in so many different sites and servers, nearly everyone was affected in some way.

Now we've found another flaw in OpenSSL. Wired reports:

The new attack, found by Japanese researcher Masashi Kikuchi, takes advantage of a portion of OpenSSL’s “handshake” for establishing encrypted connections known as ChangeCipherSpec, allowing the attacker to force the PC and server performing the handshake to use weak keys that allows a “man-in-the-middle” snoop to decrypt and read the traffic.

Basically, this lets an attacker trick your computer into revealing everything it sends and receives from another computer. In some ways, it's not as bad as Heartbleed, because it must be used in more specific situations, but in others it's just as dangerous.

Unlike the Heartbleed flaw, which allowed anyone to directly attack any server using OpenSSL, the attacker exploiting this newly discovered bug would have to be located somewhere between the two computers communicating. But that still leaves open the possibility that anyone from an eavesdropper on your local Starbucks’ network to the NSA to strip away your Web connection’s encryption before it’s even initialized.

The worst part is, this flaw has been around since the beginning of OpenSSL - in 1998. That's 16 years of constant vulnerability.

The good news is, the bug has already been fixed. Sites and servers have already begun patching OpenSSL to fix the vulnerability. In the meantime, you can protect yourself by practicing safe password procedure.

A security flaw that functioned a lot like Heartbleed was recently uncovered in a different encryption library. Click here to find out which computers are affected by the latest Heartbleed-style attack.

A cousin of the infamous Heartbleed bug recently struck Android gadgets and routers. If you have a home Wi-Fi network or an Android phone or tablet, you really need to read this. Click here to find out how to protect yourself.

View Comments ()
The new HealthCare.gov
Previous Happening Now

The new HealthCare.gov

Bill Gates could buy Boston. Which billionaire can afford your town?
Next Happening Now

Bill Gates could buy Boston. Which billionaire can afford your town?