New OpenSSL Vulnerability Discovered - Webnames Blog

New OpenSSL Vulnerability Discovered

Posted on by Garrett Saundry

Webnames.ca would like to notify all customers that our servers have not been affected by the OpenSSL Security Advisory issued on June 5th 2014 and that your information, data and privacy remain secure.

This recently discovered SSL vulnerability again affects the popular OpenSSL encryption software, and comes only weeks after the infamous Heartbleed vulnerability. The new vulnerability has compromised information that under normal circumstances is protected by powerful encryption. The compromised versions are OpenSSL versions 0.9.8, 1.0.0 and 1.0.1 Refer to the following Advisory link for specifics.

How the vulnerability works

First of all, SSL and TLS certificates protect your information. You can verify whether or not a website has SSL or TLS if it has a “s” after http or if it has a green lock icon on the search bar. SSL and TLS encrypts and decrypts any data you transmit to the servers of any website you visit; this includes any emails, web servers and instant messaging services.

This recent vulnerability allows for a malicious party to intercept communications between a server (website) and client (web browser) and manipulate the encryption negotiations between the two in such a way that the encryption can actually be broken and the data deciphered.

What are the risks?

The risks associated with this vulnerability are generally lower than that of Heartbleed, primarily for two reasons

  1. The man-in-the-middle interception of data is not as likely to occur (but can still certainly occur – it’s just not a low-hanging fruit)
  2. The client (web browser) must also be vulnerable to the exploit. As Internet Explorer, Google Chrome, Mozilla Firefox, Safari and iOS do not use OpenSSL, users of these browsers are not at risk.
  3. Google has released a new version of Chrome for Android, incrementing the OpenSSL version used in it to 1.0.1h

What should vulnerable websites do?

Vulnerable webservers should still be patched for good measure. For Webnames.ca SSL Certificate customers, you will fall into two categories:

A) If you are a Webnames.ca customer and if you have your SSL certificate hosted on our servers, you don’t need to take any additional action. Again, our systems are not vulnerable because of the OpenSSL version that we use.

B) If your SSL certificate is hosted on another system, the following portion of the OpenSSL Advisory may be applicable to you:

 

Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

 OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.

OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.

OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

 

As applicable, in order to secure your server there are three (3) steps you need to take. Note: these must be done in chronological order.

  1. Patch your OpenSSL version
  2. Once patched, you can re-issue your SSL certificate to secure Additional information is available at our Webnames.ca SSL Guide – Reissuance.
  3. Change your password and login information.

 

Additional information

For additional questions and further assistance, please contact us at 1-866-221-7878 or email support@webnames.ca

 

Share this:
Related Posts:

Posted in:

Security