New OpenSSL bug not as grave as Heartbleed, still bad for you

Back in April, the Internet was abuzz about a new vulnerability in the encryption protocol that protects practically every major website. Dubbed Heartbleed, the bug had the ability to force a server to dump its encryption keys, removing the ability to protect sensitive data as it traversed the network.

Yesterday, another vulnerability was found in OpenSSL.This new vulnerability allows an attacker that's on the same network as you to decrypt your data to steal information such as passwords and credit card numbers, and is called a "man in the middle" attack. Although it's still a big deal, it's nowhere near as critical as Heartbleed was, despite what the researcher who discovered the flaw says. There are several reasons why this latest flaw is not as bad as Heartbleed was.

The first reason is that any potential hacker has to be on the same network as you are. While this can be a problem on a public Wi-Fi network at your local coffee shop, it's probably not an issue at your office or in your home, so the attack surface is vastly reduced. In addition, most people are probably simply surfing a website with their browser, and they aren't using a vulnerable version of OpenSSL (although mobile versions of Chrome may be impacted), so there's nothing to worry about there.

The second reason is that in order to exploit the flaw, both the client and the server have to be running vulnerable versions of OpenSSL. As soon as one of the two sides updates their system, the vulnerability is gone. Heartbleed, on the other hand, could be exploited on any server that was running the vulnerable version.

This latest OpenSSL vulnerability only impacts the current session. Once you move to another network, upgrade your version of OpenSSL, or the server side does the same, the vulnerability is closed. The bad guys may have stolen some of your information, but water is no longer leaking through the dam. With Heartbleed, it was theorized that the actual secret keys that websites use could be compromised, making all connections between the site suspect until a new key was generated.

None of this is meant to imply that the OpenSSL vulnerability isn't a big deal; any time a flaw is found in an encryption protocol, it's a big deal. It's just not quite time for public hysteria compared to the Heartbleed bug.

Source: OpenSSL.org | Computer security code image via Shutterstock

Report a problem with article
Previous Story

Get your hands on a Surface Pro 3 starting today at any Microsoft store

Next Story

Microsoft stock price hits 52-week high, suggests market approves of Nadella

7 Comments

Commenting is disabled on this article.

The first reason is that any potential hacker has to be on the same network as you are. While this can be a problem on a public Wi-Fi network at your local coffee shop, it's probably not an issue at your office or in your home, so the attack surface is vastly reduced

that is not true.

a man-in-the-middle attack can happen even when the attacker is not connected to the same local network.

any node between the client and the server will do.

that means a hacker who manages to change your router's DNS can redirect traffic to a transparent proxy and act as a MIDM and intercept data thanks to this flaw.
(if one computer infected with a malware connects to your network, it could change the DNS settings for everyone who will connect to the same network in the future, because most of the time users don't change the administrator password of their home router).

that is just one example. There are lots of other ways a MIDM attack can happen.

Buggy code (or even just an oversight) isn't the same as malicious code, although obviously it can be exploited for malicious purposes. That said, just because it's open source doesn't mean these sort of things are instantly found either.. sometimes it can take an awful long time, sometimes even years.

Max Norris said,
Buggy code (or even just an oversight) isn't the same as malicious code, although obviously it can be exploited for malicious purposes. That said, just because it's open source doesn't mean these sort of things are instantly found either.. sometimes it can take an awful long time, sometimes even years.

in this case, 16 years according to Ars Technica.

I agree with you opinion but there's this general thinking that if it's open source then it must be bug/malware/NSA free.
This is what I was trying to emphasize.