Thursday, 12 June 2014
New SSL Vulnerability Uncovered Could Be 16 Years Old
Not too long ago, the Heartbleed SSL vulnerability was all over the news. Software developers and data communications experts warned that the vulnerability could be exploited by creative hackers without leaving any trace behind and, although numerous patches were offered to close the vulnerability, we are not out of the woods yet. A brand new problem has been uncovered by a Japanese researcher – an SSL vulnerability that could be 16 years old.
According to news reports, the newly discovered vulnerability allows attackers to intercept encrypted data by forcing SSL clients to use weak keys that are exposed to malicious nodes. A competent hacker can easily decrypt any intercepted data. Worst of all, research suggests the problem goes back as far as OpenSSL 0.9.8y.
The WHIR reports that Ubuntu, Debian, CentOS, Red Hat and FreeBSD have already released security updates to close the loophole. Other vendors are likely to follow in the coming days. Experts suggest that companies contact their individual vendors if they are unsure whether a security update has been released or not. They are also warning data centres, hosting providers and software developers to be on the lookout for problems with OpenSSL. Like Heartbleed, this new vulnerability can be exploited without leaving a trace.
The issue was apparently discovered just days after funding was provided by the Core Infrastructure Initiative to hire two core developers for the OpenSSL project. Organisers say the two positions are necessary in order to maintain the type of code management policies that would prevent these kinds of issues from going undetected for so long.
Historically speaking, the problem with OpenSSL has been a lack of code reviews by experts in the field of TLS/SSL security. Even when reviews were conducted, these were not given the proper scrutiny necessary to detect both Heartbleed and the newly discovered vulnerability.
The most compelling part of this story from our perspective is the fact that the SSL vulnerability could be 16 years old. If the researchers are right, it goes back to the earliest implementation of OpenSSL back in the late 1990s. It is hard for us to even imagine the amount of damage that may have been done over the years. It is damage that we may never know the true scope of.
With that in mind, the recent discovery of OpenSSL vulnerabilities is yet another reminder that modern Internet communications will never be completely secure. Those who make their living by hacking legitimate businesses and government entities will continue doing what they do for the foreseeable future. All we can do to fight back is practice due diligence in security and, where required, go back and fix the mistakes of the past.
We hope that the OpenSSL project and other open source initiatives have learned a valuable lesson here. Even the open source model requires full-time coders capable of reviewing new code as it is developed. Leaving it to chance is no longer an option any of us can afford.