New OpenSSL vulnerability puts encrypted communications at risk of spying

Lucian Constantin

The CCS problem is easy to exploit if the conditions are right and, although the impact is nowhere near that of the Heartbleed vulnerability announced in April, there is some significant attack surface, Ristic said via email.

"One of the worst attacks could be against VPN connections based on SSL/TLS, provided they are running vulnerable OpenSSL code," he said. "Attacks against automated systems could also be interesting; they could be used to obtain connection passwords."

Ristic doesn't think that server administrators and software developers will rush to upgrade OpenSSL with the same speed as they did when the Heartbleed flaw was announced. That vulnerability, which allowed attackers to extract sensitive information including encryption keys and passwords from the memory of SSL servers and clients, could have easily been exploited widely.

Since exploiting the CCS vulnerability requires an MitM position "it's unlikely to be used at scale, but it might be very useful for targeted attacks," Ristic said.

Unfortunately, "the regular user can't do anything to safeguard their data, other than putting critical information transfer on hold until the issue is resolved server side," Bogdan Botezatu, a senior e-threat analyst at Bitdefender said via email regarding this new OpenSSL vulnerability. "It is important to bear in mind that man-in-the-middle attacks -- because of their nature -- are completely undetectable to both the user and automated traffic inspection technologies."

Previous Page  1  2