[sarcasm} Bankers prove they are worth their enormous salaries by trying to get all transactions to go on-line, while there are repeated security breaches.http://www.wired.com/2014/06/heartbleed-redux-another-gaping-wound-in-ssl-uncovered/
I fear a severe meltdown at some point.
BY ANDY GREENBERG 06.05.14
The internet is still reeling from the discovery of the Heartbleed vulnerability, a software flaw exposed in April that broke most implementations of the widely used encryption protocol SSL. Now, before Heartbleed has even fully healed, another major bug has ripped off the scab.
On Thursday, the OpenSSL Foundation published an advisory warning to users to update their SSL yet again, this time to fix a previously unknown but more than decade-old bug in the software that allows any network eavesdropper to strip away its encryption. The non-profit foundation, whose encryption is used by the majority of the Web’s SSL servers, issued a patch and advised sites that use its software to upgrade immediately.
-----
Unlike the Heartbleed flaw, which allowed anyone to directly attack any server using OpenSSL, the attacker exploiting this newly discovered bug would have to be located somewhere between the two computers communicating. But that still leaves open the possibility that anyone from an eavesdropper on your local Starbucks’ network to the NSA to strip away your Web connection’s encryption before it’s even initialized.
According to a blog post by Kikuchi, the flaw has existed since the very first release of OpenSSL in 1998. He argues that despite the widespread dependence on the software and its recent scrutiny following the Heartbleed revelation, OpenSSL’s code still hasn’t received enough attention from security researchers. “The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation,” he writes. “They could have detected the problem.”
-----
No comments:
Post a Comment