The internet is still reeling from the discovery of the Heartbleed vulnerability, a software flaw exposed in April that broke most implementations of the widely used encryption protocol SSL. Now, before Heartbleed has even fully healed, another major bug has ripped off the scab.
On Thursday, the OpenSSL Foundation published an advisory warning to users to update their SSL yet again, this time to fix a previously unknown but more than decade-old bug in the software that allows any network eavesdropper to strip away its encryption. The non-profit foundation, whose encryption is used by the majority of the Web's SSL servers, issued a patch and advised sites that use its software to upgrade immediately.
The new attack, found by Japanese researcher Masashi Kikuchi, takes advantage of a portion of OpenSSL's "handshake" for establishing encrypted connections known as ChangeCipherSpec, allowing the attacker to force the PC and server performing the handshake to use weak keys that allows a "man-in-the-middle" snoop to decrypt and read the traffic.
"This vulnerability allows malicious intermediate nodes to intercept encrypted data and decrypt them while forcing SSL clients to use weak keys which are exposed to the malicious nodes," reads an FAQ published by Kikuchi's employer, the software firm Lepidum. Ashkan Soltani, a privacy researcher who has been involved in analyzing the Snowden NSA leaks for the NSA and closely tracked SSL's woes, offers this translation: "Basically, as you and I are establishing a secure connection, an attacker injects a command that fools us to thinking we're using a 'private' password whereas we're actually using a public one."
Unlike the Heartbleed flaw, which allowed anyone to directly attack any server using OpenSSL, the attacker exploiting this newly discovered bug would have to be located somewhere between the two computers communicating. But that still leaves open the possibility that anyone from an eavesdropper on your local Starbucks' network to the NSA to strip away your Web connection's encryption before it's even initialized.
The new attack does have other limitations: It can only be used when both ends of a connection are running OpenSSL. Most browsers use other SSL implementations and so aren't affected, says Ivan Ristic, director of engineering at the security firm Qualys, though he adds that Android web clients likely do use the vulnerable code. Among servers, only those using more recent versions of SSL are affected--about 24 percent of the 150,000 servers that Qualys has scanned. He also warns that many VPNs may use OpenSSL and thus be vulnerable. "VPNs are a very juicy target," Ristic says. "People who really care about security use them, and there’s likely to be sensitive data there."
According to a blog post by Kikuchi, the roots of the OpenSSL flaw have existed since the very first release of the software in 1998. He argues that despite the widespread dependence on the software and its recent scrutiny following the Heartbleed revelation, OpenSSL's code still hasn't received enough attention from security researchers. "The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation," he writes. "They could have detected the problem."
The revelation of the bug on the one-year anniversary of the Guardian's first publication of Snowden's NSA leaks adds to that grim lesson, says security researcher Soltani. He points to efforts by privacy groups like Reset The Net that have used the Snowden revelations as inspiration to push Internet users and companies to implement more pervasive encryption. Those efforts are undermined, he points out, by the fact that some of the oldest and most widely used encryption protocols may still have fundamental flaws. "There are huge efforts by companies and activists to deploy tools that 'add proven security,'" he says, quoting Reset The Net's website. "Yet there's very little actual work and support of the underlying tools that are being deployed, like OpenSSL. It's pretty shameful that the core library that practically the entire internet relies on for transport security is maintained by a handful of under-resourced engineers."
- Updated at 1:45 ET with comments from Ivan Ristic, Director of Engineering at Qualys security firm.*
