Which SSL Reviews


New Security Bug Creeps Into OpenSSL Library

July 15, 2015 | By Editor 

The bug has been patched, but the question remains – how can be better protect the web space from data breach?

Last month, the online community was abuzz with confirmed rumors about a new security bug that had found a vulnerability into the OpenSSL library. OpenSSL Project – a volunteer-based, open-source community that provides Secure Sockets Layer (SSL) protection for browers all over the world – stated that they found a high severity bug in their platform and were working to patch the vulnerability at the earliest.

And they did release the fix against the bug within the next few weeks, stating that the bug was intimidating because of its capability to bypass Transport Layer Security (TLS) and SSL certificates. However, it was nothing as serious as the security bugs that rocked the security community a few months back.

If we jog our memory to the recent past, you might remember the infamous Heartbleed security flaw in OpenSSL library that had the online community panicking. It affected millions of sites worldwide, and worst, it was detected only after 2 years of it perpetuating damages to websites including major players like Gmail, Facebook and Yahoo.

Then there was the dreadful Freak Attack of 2015, discovered by Paris-based researcher Karthikeyan Bhargavan, that gave jitters to the internet browsers for its wicked ability to overpower TLS and SSL security layers.

The latest threat is identified as CVE-2015-1793, and according to the OpenSSL group, it has a way of escaping the Certificate Authority (CA) authentication, posing itself as a TLS/SSL document to breach encrypted information.

There were a lot of things significantly different, and better, about the instance of security breach this time around. For one, it was discovered early on for the security companies to curb its spreading. Also, it wasn’t able to affect a lot of people mainly because Google Chrome, Internet Explorer (from Microsoft), Mozilla Firefox and Apple Safari were unaffected. Google has a natively-developed certificate called BoringSSL while the other three rely on their own crypto library for protection.

Nonetheless, the new bug was a looming danger for thousands of web and mobile apps that run on OpenSSL protection.

Want to know the heroes who found this bug? Say your thanks to Adam Langley and David Benjamin from Google’s BoringSSL team, who spotted the first instance of the bug on 24th June, 2015. Interestingly enough, the credit for coming up with a patch to fix the bug also goes to the team at BoringSSL. Turns out, boring is a misnomer for the impressive work they do at BoringSSL!


Be part of an IT community with thousands of subscribers. Get the latest news, blogs, and thought leadership articles. Subscribe now
Email *

Posted in SSL

Be Sociable, Share!

Leave a Comment


* fields are mandatory