Thursday, June 5, 2014

SSL/TLS MITM Vulnerability

Andy Greenberg:

On Thursday, the OpenSSL Foundation published an advisory warning to users to update their SSL yet again, this time to fix a previously unknown but more than decade-old bug in the software that allows any network eavesdropper to strip away its encryption. The non-profit foundation, whose encryption is used by the majority of the Web’s SSL servers, issued a patch and advised sites that use its software to upgrade immediately.

Masashi Kikuchi:

The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation. If the reviewers had enough experiences, they should have been verified OpenSSL code in the same way they do their own code. They could have detected the problem.

Fuzzing may have worked. However, as the history (see below) shows, knowledge of TLS/SSL implementation seems vital.

Comments RSS · Twitter

Leave a Comment