Another Heartbleed-Style OpenSSL Vulnerability Discovered

Polly Mosendz | Nextgov.com | June 6, 2014

Just a few months after Heartbleed was discovered and (thankfully) resolved, another OpenSSL bug is haunting web encryptions. The new bug SSL/TLS MITM was posted by the OpenSSL group in a formal advisory on Thursday. On the bright side, it's not as bad as Heartbleed, but its not-so-catchy name and lack of publicity means it will be tough for the public to tackle as quickly.

When Heartbleed was discovered, it was branded as a major issue very quickly and became somewhat of an epidemic, complete with its own website, a scary name, and creepy logo. SSL/TLS MITM (which I'm going to call SSL until someone names it something like Skinburn or Tummyache) is on a smaller scale than Heartbleed.

It affects the "handshake" process of encryption: the point when the client and the server make a connection, and determine they both agree to encrypt the data. A smart hacker can use the vulnerability to attack the handshake, making it weak. Think of someone pouring oil on both palms, so the hands can't meet and shake properly. Then, the hacker has access to unencrypted data and can modify traffic to both the client and server. Poof, encryption is gone...