OpenSSL fixes serious flaw that could enable man-in-the-middle attacks

The vulnerability allows attackers to generate rogue certificates that pass OpenSSL's validation

Digital key

Digital key

A flaw in the widely used OpenSSL library could allow man-in-the-middle attackers to impersonate HTTPS servers and snoop on encrypted traffic. Most browsers are not affected, but other applications and embedded devices could be.

The OpenSSL 1.0.1p and 1.0.2d versions released Thursday fix an issue that could be used to bypass certain checks and trick OpenSSL to treat any valid certificates as belonging to certificate authorities. Attackers could exploit this to generate rogue certificates for any website that would be accepted by OpenSSL.

"This vulnerability is really only useful to an active attacker, who is already capable of performing a man-in-the-middle (MITM) attack, either locally or upstream from the victim," said Tod Beardsley, security engineering manager at Rapid7, via email. "This limits the feasibility of attacks to actors who are already in a privileged position on one of the hops between the client and the server, or is on the same LAN and can impersonate DNS or gateways."

The problem was introduced in OpenSSL versions 1.0.1n and 1.0.2b that were released on June 11 to fix five other security vulnerabilities. Developers and server administrators who did the right thing and updated their OpenSSL versions last month, should do so again immediately.

OpenSSL versions 1.0.1o and 1.0.2c that were released on June 12 are also affected.

"This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication," the OpenSSL Project said in a security advisory published Thursday.

An example of servers that validate client certificates for authentication are VPN servers.

Fortunately, the four major browsers are not impacted because they don't use OpenSSL for certificate validation. Mozilla Firefox, Apple Safari and Internet Explorer use their own crypto libraries and Google Chrome uses BoringSSL, a Google-maintained fork of OpenSSL. The BoringSSL developers actually discovered this new vulnerability and submitted the patch for it to OpenSSL.

The real-world impact is likely not very high. There are desktop and mobile applications that use OpenSSL to encrypt their Internet traffic, as well as servers and Internet-of-Things devices that use it to secure machine-to-machine communications.

But even so, their number is small compared to the number of Web browser installations and it's unlikely that many of them use a recent version of OpenSSL that is vulnerable, said Ivan Ristic, director of engineering at security vendor Qualys and creator of SSL Labs.

For example, the OpenSSL packages distributed with some Linux distributions, including Red Hat, Debian and Ubuntu are not affected. That's because Linux distributions typically backport security fixes into their packages instead of completely updating them to new versions.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags patchessecurityRapid7patch managementencryptionOpenSSL ProjectExploits / vulnerabilities

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?