Story 2014-06-05 3NE OpenSSL CCS Injection Vulnerability

OpenSSL CCS Injection Vulnerability

by
in security on (#3NE)
A researcher reviewing the OpenSSL library has found another bug in the implementation.
This [vulnerability] can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client and server.
Pretty much all versions of OpenSSL from the last few years are affected.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
https://www.openssl.org/news/secadv_20140605.txt
Reply 3 comments

Not a Big One (Score: 0)

by Anonymous Coward on 2014-06-06 01:32 (#20Z)

If I understand correctly, this only applies to OpenSSL client to OpenSSL server communication, NOT browser to OpenSSL server (?).

So while huge for those who relied on it this way, the pool of vulnerability is smaller than Heartbleed.

Re: Not a Big One (Score: 1)

by tempest@pipedot.org on 2014-06-06 12:43 (#211)

Since the major browsers use something other than SSL it's not a big deal as far as browser security no. Some utilities (can) use Openssl like wget, and anything secured using stunnel is vulnerable. My only worry is patching my mail servers, some of which talk to each other using TLS only and assume the connection is secure.

We are being bred for slavery (Score: -1, Troll)

by Anonymous Coward on 2014-06-07 22:58 (#217)

They are dismantling the sleeping middle class. More and more people are becoming poor. We are their cattle. We are being bred for slavery.

They are dismantling the sleeping middle class. More and more people are becoming poor. We are their cattle. We are being bred for slavery.

They are dismantling the sleeping middle class. More and more people are becoming poor. We are their cattle. We are being bred for slavery.