Just last year, a major vulnerability in the OpenSSL protocol caused a lot of concern for internet traffic all around. Not only are nearly all sites protected by OpenSSL, but various web apps and other third-party platforms rely on this security standard as well. And even though heartbleed had been fixed for a while now, there are other vulnerabilities that need to be patched sooner rather than later.
On Thursday – two days from the time of publication – a new version of OpenSSL will be released to the public that contains two major vulnerability patches. Considering the fact that most servers around the world rely on OpenSSL to provide SSL/TLS connections, these vulnerabilities need to be patched as soon as possible.
At this time, exact details regarding both security vulnerabilities remain undisclosed. However, what we do know is that the OpenSSL developers marked these flaws as “critical”, which indicates it could be on par with the Heartbleed vulnerability that was discovered late last year. Additionally, this “critical” priority could also indicate that malicious individuals have been exploiting these weaknesses in recent times.
The SSL library is not just used by websites and servers, but also by most Linux distributions and several major browsers. Just until last year, Google was relying on OpenSSL for both the Chrome browser and the Android mobile operating system. That situation came to a halt when Google developed their implementation of SSL, which is now present on all their platforms, software, and tools.
Taking into account this is the second time in a 18-month period during which OpenSSL is faced with major security threats, it looks like the time for a new standard is upon us. Last year’s Heartbleed vulnerability was the first sign of OpenSSL’s flaws and shortcomings, which was partially blamed on lackluster maintenance by the developers.
It is important to note these new vulnerabilities are affecting all versions of OpenSSL, except for versions 1.0.0 and 0.9.8. Late last week, the Bitcoin network was on high alert from a string of invalid blocks being generated. Oddly enough, that issue only affected certain clients as well, and the matter was resolved swiftly once everyone upgraded their clients to the proper version.
What are your thoughts on yet another threat to OpenSSL? Let us know in the comments below!
Source: Tweakers (Dutch)
Images courtesy of Shutterstock
1 Hova Villas Brighton & Hove
BN3 3DH United Kingdom
All rights reserved by Bitcoinist Ltd. | 2016.