Items tagged with OpenSSL

A newly discovered attack vector is threatening to leave millions of websites underwater, gasping for air. Since we live in an acronym-crazed society, it should come as no surprise that this latest exploit described as Decrypting RSA with Obsolete and Weakened eNcryption goes by the name of "DROWN." DROWN preys on servers that still openly support Secure Sockets Layer (SSLv2), even though modern servers have moved on to Transport Layer Security (TLS). Given that SSLv2 was developed in the 1990s, it’s long been considered outdated and insecure. However, some servers have still been configured to... Read more...
When the OpenSSL vulnerability Heartbleed broke cover in April, it felt like it was the only thing that mattered for an entire week. Like many news outlets, we reported on the bug from a number of different angles, and it was all for good reason: It's a severe bug, and one that the world needs to know about. Given all of the attention Heartbleed received, it'd be easy to assume that the vulnerability would now be hard to spot out in the wild - but no. Far from it, actually. When we first learned of Heartbleed, it was estimated that at least half a million Web servers were vulnerable because of... Read more...
The Heartbleed Bug illustrated just how vulnerable our global communications structure really is, and now a glut of important tech companies in collaboration with the Linux Foundation are launching a new initiative called the Core Infrastructure Initiative to better support the open source projects and technologies that keep the Internet afloat. Image Source: Flickr (snoopsmaus) The first item on the docket is increased support for OpenSSL, which if you’ll recall was the source of the Heartbleed problem. OpenSSL “could receive fellowship funding for key developers as well as other resources... Read more...
As Seth covered earlier today, Bloomberg has accused the NSA of benefiting from the Heartbleed OpenSSL bug. The NSA denies this in fairly strong terms. I'd like to draw attention to a different facet of the topic -- first, by discussing the semantics of the NSA's denial and then the wider impact of how that denial is perceived and what it means for the tech community as a whole. The NSA's Denial is Surprisingly Straightforward For the past year, the NSA's responses to the Snowden leaks have followed the same strategy: Either the organization claims that its activities are legal or it denies engaging... Read more...
The news of two truly horrible security breaches broke this year; one was the NSA’s shadowy data grabbing and surveillance program, and the other was the Heartbleed bug that left about two-thirds of the Internet utterly exposed to any bad actor. According to a Bloomberg report, these two stories have merged, as “two people familiar with the matter” have told the outlet that the NSA has known about the Heartbleed bug for at least two years and has regularly exploited it to gather intelligence. In an emailed statement to Bloomberg, the Office of the Director of National Intelligence... Read more...
Terrible news, everyone: There’s a coding error in the OpenSSL cryptographic software library that allows anyone with the right tools and a little know-how to access secret encryption keys, usernames, passwords, and even content on sites using OpenSSL for protection. That includes roughly two-thirds of the Internet’s web servers, according to Ars Technica. The problem with the so-called Heartbleed bug is that there’s a missing bounds check. “By abusing this mechanism, an attacker can request that a running TLS server hand over a relatively large slice (up to 64KB) of its... Read more...