Technology content trusted in North America and globally since 1999
7,601 Reviews & Articles | 56,167 News Posts

OpenSSL gets patched for a problem that probably doesn't effect you

A new vulnerability has been found in OpenSSL, but this time it isn't so large, and has already been patched
By: Jeff Williams | Hacking & Security News | Posted: Jan 31, 2016 2:27 pm

The OpenSSL project has found, and patched, an issue that was fairly serious though it likely didn't effect very many people, or businesses for that matter.

 

openssl-gets-patched-problem-probably-effect_21

 

The problem seems to have stemmed around how the open-source implementation of SSL and TLS reuses prime numbers while the Diffie-Hellman key-exchange protocol is used, making it far easier for a would-be attacker to decrypt your information. The good news is that in order for that to happen, a particular setting has to physically be set on, because it's not on by default.

 

Even better is that in order to have enough information to actually crack the encryption, there the attacker would have to connect (and reconnect via separate handshakes) several times. So it's not something that's of too much concern, certainly not at the same level of the Heartbleed vulnerability of 2014.

 

OpenSSL has been under scrutiny since the debacle of 2014 and an internal audit of the source code has been underway to find and patch bugs precisely like this one. So this is a good sign that the team looking into OpenSSL is hard at work. The patched version is 1.0.1f and 1.0.1r.

 

But again, this likely doesn't effect the majority of users of the software anyway.

NEWS SOURCES:Openssl.org

Related Tags

Got an opinion on this news? Post a comment below!
loading