Popular HTTPS sites still vulnerable to OpenSSL connection hijacking attack

  • 16 June 2014
  • 1 reply
  • 411 views

Userlevel 7
Badge +54

A known critical vulnerability in OpenSSL can be exploited on over 20,000 of Internet's top 155,000 SSL sites, a researcher from Qualys said

 
By Lucian Constantin | Published: 15:20, 16 June 2014
 
Some of the Internet's most visited websites that encrypt data with the SSL protocol are still susceptible to a recently announced vulnerability that could allow attackers to intercept and decrypt connections.
On June 5, developers of the widely used OpenSSL crypto library released emergency security patches to address several vulnerabilities, including one tracked as CVE-2014-0224 that could allow attackers to spy on encrypted connections if certain conditions are met.
Until a few years ago, full-session encryption via HTTPS (HTTP with SSL) was mainly used by financial, e-commerce and other sites dealing with sensitive information. However, the increasing use of mobile devices that often connect over insecure wireless networks, coupled with the past year's revelations of upstream bulk data collection by spy agencies, led to a large number of sites adding support for it.
 
Full Article
 
 

1 reply

Userlevel 7
Badge +54
By Frank Ohlhorst June 17, 2014
 
In the two months since the OpenSSL vulnerability known as Heartbleed hit the headlines and active solutions were offered to plug the security breach, more vulnerabilities have begun to surface.The OpenSSL project has announced six additional vulnerabilities for the organization's cryptography platform, creating some concern that there are additional flaws yet to be uncovered. That latest batch of vulnerabilities include denial of service, information disclosure and potential remote code execution - all of which should be of a major concern to anyone protecting corporate IT resources.
 
Full Article
 

Reply