• Skip to primary navigation
  • Skip to main content
  • Skip to footer
  • Home
  • Advertise With Us
  • Contact
  • Cookie Policy
    • Privacy statement (CA)
    • Cookie policy (CA)
    • Privacy statement (UK)
    • Cookie policy (UK)
    • Privacy statement (US)
    • Cookie Policy (US)
    • Privacy statement (EU)
    • Cookie policy (EU)
    • Disclaimer

TechWalls

Technology News | Gadget Reviews | Tutorials

  • Reviews
  • Tech News
  • Tech Guide
  • Gadget & Apps

OpenSSL hit with new critical vulnerability anew

Updated on Jul 30, 2015 by Guest Authors

Security researchers have found a new vulnerability in the OpenSSL infrastructure that could give attackers the leeway to intrude an otherwise secure communications network.

The critical flaw in OpenSSL, in addition to the Heartbleed vulnerability, is designed to lure computers into recognizing a fake digital certificate as legit. Once a sham digital certificate is accepted, hackers could then perform man in the middle attacks against the network, thereby eavesdropping on secure communication lines between private users who would then believe they are indeed exchanging messages in a safe environment.

openssl-vulnerability

The OpenSSL finds popular use in implementing the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) cryptographic protocols. Majority of web servers in the world use the open source software.

The vulnerability spotted had something to do with the OpenSSL’s ability to verify certificates. That means the accuracy of the verification process has been comprised.

Here’s the explanation for it all. A connecting device moves a step higher in the chain of certificate issuances if it fails to confirm that a certificate has been truly warranted by a trusted Certificate Authority. SSL certificates are issued from the root certificate authority up to various intermediate CAs and ultimately through the end user certificate. If it cannot locate a trusted certificate authority, an error message will be returned, thus denying a secure connection.

The OpenSSL will determine another alternative chain upon failure of previous attempts to create certificate chains. Because of an error in implementing the process of finding an alternative chain, a vulnerability comes out. Consequently, attackers will be able to work their way around checks on CAs that are untrusted.

Also, an attacker will be able to use an end user certificate to disguise itself as a CA and, thereby, issue illegitimate certificates that will be considered by the victim computer as a trusted certificate.

SSL and TLS client software often perform the task of validating a chain of certificates. SSL and TLS client software could include browsers and email servers, which are susceptible to the flaw discovered if they use an edition of OpenSSL for verifying certificate chain that has been affected by the vulnerability.

Luckily, web servers are safe from the vulnerability if they are not for authenticating site visitors, or if they authenticate site visitors in other instances, those visitors must be using passwords.

OpenSSL versions affected by this vulnerability include versions 1.0.2c, 1.0.2b, 1.0.1n, and 1.0.1o. Versions 1.0.2b and 1.0.2c users need to upgrade to 1.0.2d, while versions 1.0.1n and 1.0.1o users must upgrade to 1.0.1p.

Disclosure: As an Amazon Associate, I earn from qualifying purchases. The commission help keep the rest of my content free, so thank you!

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Footer

POLONO PL60Thermal Label Printer Review

DaranEner NEO2000 Power Station Review – A Beast In A Portable Design

Autonomous SmartDesk Junior Review – Kid Standing Desk with Pegboard and Adjustable Height

OKP Life K2P Robot Vacuum Cleaner Review – Who Should Buy this Vacuum?

Follow TechWalls

YoutubeFacebookTwitterInstagram

Recent Posts

  • BLUETTI Valentine’s Day Deals for Canada
  • BLUETTI’s Romantic Deals this Valentine – Up to 30% Off
  • Google Is Launching Bard to Fight ChatGPT, Here Is How It Works
  • POLONO PL60Thermal Label Printer Review

Copyright © 2023 ยท All Rights Reserved

Manage Cookie Consent
We use technologies like cookies to store and/or access device information. We do this to improve browsing experience and to show personalized ads. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional cookies Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}