06-16-2014 12:51 PM
By Lucian Constantin | Published: 15:20, 16 June 2014
Some of the Internet's most visited websites that encrypt data with the SSL protocol are still susceptible to a recently announced vulnerability that could allow attackers to intercept and decrypt connections.
On June 5, developers of the widely used OpenSSL crypto library released emergency security patches to address several vulnerabilities, including one tracked as CVE-2014-0224 that could allow attackers to spy on encrypted connections if certain conditions are met.
Until a few years ago, full-session encryption via HTTPS (HTTP with SSL) was mainly used by financial, e-commerce and other sites dealing with sensitive information. However, the increasing use of mobile devices that often connect over insecure wireless networks, coupled with the past year's revelations of upstream bulk data collection by spy agencies, led to a large number of sites adding support for it.
06-17-2014 03:52 PM
By Frank Ohlhorst June 17, 2014
The OpenSSL project has announced six additional vulnerabilities for the organization's cryptography platform, creating some concern that there are additional flaws yet to be uncovered. That latest batch of vulnerabilities include denial of service, information disclosure and potential remote code execution - all of which should be of a major concern to anyone protecting corporate IT resources.