Dara Security

OpenSSL Flaw Discovered

June 06, 2014

Still recovering from Heartbleed, we heard of yet another OpenSSL flaw that was reported yesterday. The "SSL/TLS MITM" vulnerability allows a user to interfere with the "handshake" between a client and server, essentially disrupting web traffic encryption.

What The OpenSSL Flaw Means

In exploiting this OpenSSL flaw, a malicious user decrypts and modifies information flowing between client and server. Communication that appears to be over a private connection is actually directly controlled by the intruder. This form of active eavesdropping is known as a "man-in-the-middle" (MITM) attack.

Similar to Heartbleed, this newly found bug has been putting computers at risk for almost 15 years. However, the SSL/TLS MITM vulnerability is not as severe as Heartbleed in that exploits are more difficult to carry out and the effects are not as earth-shattering. Exploits target single connections and are accomplished only when the malicious user can successfully authenticate both client and server.

Non-OpenSSL clients are not affected by the SSL/TLS MITM flaw. Browsers IE, Firefox, Chrome (on Desktop and iOS), and Safari are not vulnerable. However, OpenSSL clients have been advised to update to the latest version as soon as possible: https://www.openssl.org/.