OpenSSL new vulnerability exposure: can be used for the middleman attack
Beijing time on June 6th morning news, Thursday, OpenSSL foundation issued a warning that one has been in existence for 10 years the vulnerability could lead to hackers using OpenSSL encrypted traffic to launch a middleman attacks.
information security experts are still trying to solve the OpenSSL encryption protocol bleeding heart loophole. According to AVG Virus Labs data, there are still 12 thousand popular domain name exists this vulnerability. According to the news released by the OpenSSL foundation, hackers may use new vulnerabilities to intercept encrypted traffic, decrypt it, and then read the contents of the traffic.
OpenSSL users are advised to install the new patch and upgrade to the latest version of the OpenSSL software. The discoverer of this vulnerability is the software company Lepidum Japanese researcher Masashi Kikuchi. Lepidum’s website says: "when a server and client have a vulnerability, an attacker can eavesdrop and forge your communications."
and can cause the server to be directly attacked by the bleeding heart loophole is different, this new vulnerability requires hackers located between two computers. For example, the use of airport open WiFi users may become targets of attack.
this vulnerability has been in existence since the first release of OpenSSL in 1998. The bleeding heart loophole was introduced in 2011 when the new year OpenSSL upgrade.
this vulnerability has not been found for more than a decade, which once again demonstrates the shortcomings of OpenSSL management. OpenSSL is open source, which means that anyone can evaluate and update it. For this reason, OpenSSL is believed to be safer and more reliable than proprietary code developed by a company.
but in fact, OpenSSL has only 1 full-time developers in Europe, as well as the core of the volunteer programmers, its operations rely on $2000 a year to donate. However, OpenSSL is still used to encrypt most of the world’s web server, and is widely used by Amazon and CISCO and other large companies.
is found in the "bleeding heart loophole, including Amazon, CISCO, DELL, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, Qualcomm and VMware, the company promised to invest $100 thousand annually in the next 3 years, for the Core Infrastructure Initiative project. This new open source project led by the Linux foundation for supporting key OpenSSL