Jump to content


Oh great: is this new OpenSSL flaw worse than Heartbleed?

  • Please log in to reply
No replies to this topic

OFFLINE   sincity


    Advanced Member

  • Members
  • PipPipPipPip
  • 2980 posts
Getting Better
Oh great: is this new OpenSSL flaw worse than Heartbleed?

The Heartbleed flaw discovered in OpenSSL was one of the worst web vulnerabilities in history, but believe it or not it may already have been dethroned.

Even more incredible is the fact that once again, OpenSSL may be to blame.

The "CCS Injection Vulnerability" was discovered by Tatsuya Hayashi, who said it "may be more dangerous than Heartbleed," according to The Guardian.

Attackers can reportedly use this weakness to intercept and even alter data passing between computer and websites in a classic man-in-the-middle maneuver as long as they're on the same network, like a public Wi-Fi hub.

Hopelessly flawed

The flaw was reportedly introduced into the OpenSSL encryption standard 16 years ago, when OpenSSL was introduced in 1998, but it's only just been discovered.

It affects all past versions of OpenSSL and servers running OpenSSL 1.0.1 or the beta version for 1.0.2.

Meanwhile it's not even the only flaw to be uncovered this week - another one allowed hackers to send malicious code to machines running OpenSSL, and it was reportedly added four years ago by Robin Seggelmann, the same dev who created Heartbleed.

The OpenSSL open source project has already issued a patch, but this newest discovery has nevertheless revived the question of whether it's time to kill OpenSSL once and for all.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users