Back in April, the Internet was abuzz about a new vulnerability in the encryption protocol that protects practically every major website. Dubbed Heartbleed, the bug had the ability to force a server to dump its encryption keys, removing the ability to protect sensitive data as it traversed the network.
Yesterday, another vulnerability was found in OpenSSL.This new vulnerability allows an attacker that's on the same network as you to decrypt your data to steal information such as passwords and credit card numbers, and is called a "man in the middle" attack. Although it's still a big deal, it's nowhere near as critical as Heartbleed was, despite what the researcher who discovered the flaw says. There are several reasons why this latest flaw is not as bad as Heartbleed was.
The first reason is that any potential hacker has to be on the same network as you are. While this can be a problem on a public Wi-Fi network at your local coffee shop, it's probably not an issue at your office or in your home, so the attack surface is vastly reduced. In addition, most people are probably simply surfing a website with their browser, and they aren't using a vulnerable version of OpenSSL (although mobile versions of Chrome may be impacted), so there's nothing to worry about there.
The second reason is that in order to exploit the flaw, both the client and the server have to be running vulnerable versions of OpenSSL. As soon as one of the two sides updates their system, the vulnerability is gone. Heartbleed, on the other hand, could be exploited on any server that was running the vulnerable version.
This latest OpenSSL vulnerability only impacts the current session. Once you move to another network, upgrade your version of OpenSSL, or the server side does the same, the vulnerability is closed. The bad guys may have stolen some of your information, but water is no longer leaking through the dam. With Heartbleed, it was theorized that the actual secret keys that websites use could be compromised, making all connections between the site suspect until a new key was generated.
None of this is meant to imply that the OpenSSL vulnerability isn't a big deal; any time a flaw is found in an encryption protocol, it's a big deal. It's just not quite time for public hysteria compared to the Heartbleed bug.
Source: OpenSSL.org | Computer security code image via Shutterstock
7 Comments - Add comment