OpenSSL Not Completely Secure

Monday, March 5, 2012 @ 05:03 PM gHale

There is now an attack method that can bypass the security measures offered by OpenSSL, allowing an attacker to recover the cryptographic key that ensures data transferred in an encrypted form between users and secure web servers.

By triggering a bug in the software with the aid of cleverly designed messages sent to the web servers, the experts managed to recover part of the cryptographic key, according to Dr. Dan Page, a senior lecturer in computer science in the Department of Computer Science at the University of Bristol in England. If an attacker uses a large number of messages, it is possible to obtain the entire key.

Oracle Patches DoS Hole
OpenSSL Patches Bug Offered in Fix
OpenSSL Offering Patches 6 Flaws
Google Looks at HTTPS Security

“Our work suggests an underlying problem. With software and hardware playing increasingly significant roles in our day-to-day life, how much can and should we trust them to be correct?” Page asked.

“The answer, in part at least, is a stronger emphasis on and investment in formal verification and correctness of open source software. Our research highlights the important role this topic will play for software engineers of the future.”

The approach proposed by the team only works on the 0.9.8g version of OpenSSL and only on certain configurations, but if it works it can represent yet another threat to the integrity of the SSL protocol on which so many businesses rely these days.

In the case of the e-commerce websites, whose popularity is constantly growing among Internet users, the exposure of the cryptography key can make the difference between credit card number being safe, or ending up in the hands of a profit-driven hacker.

Newer versions of OpenSSL are not susceptible to the attack described by the researchers, which once again highlights the necessity for companies to always apply the latest patches.

Leave a Reply

You must be logged in to post a comment.