OpenSSL gets patched for a problem that probably doesn’t effect you

The OpenSSL project has found, and patched, an issue that was fairly serious though it likely didn’t effect very many people, or businesses for that matter.

openssl-gets-patched-problem-probably-effect

The problem seems to have stemmed around how the open-source implementation of SSL and TLS reuses prime numbers while the Diffie-Hellman key-exchange protocol is used, making it far easier for a would-be attacker to decrypt your information. The good news is that in order for that to happen, a particular setting has to physically be set on, because it’s not on by default.

Even better is that in order to have enough information to actually crack the encryption, there the attacker would have to connect (and reconnect via separate handshakes) several times. So it’s not something that’s of too much concern, certainly not at the same level of the Heartbleed vulnerability of 2014.

OpenSSL has been under scrutiny since the debacle of 2014 and an internal audit of the source code has been underway to find and patch bugs precisely like this one. So this is a good sign that the team looking into OpenSSL is hard at work. The patched version is 1.0.1f and 1.0.1r.

But again, this likely doesn’t effect the majority of users of the software anyway.

Source: Openssl.org

Leave a Reply

%d bloggers like this: