It’s been just a few months since the Heartbleed OpenSSL security flaw was discovered, and we’re now learning about a newly-discovered hole in the widely-used security protocol. The good news is that there’s a fix. The bad news is that the vulnerability has existed for a decade, and we’ll never know how much it was exploited.
Wired reports that the OpenSSL Foundation, the non-profit that keeps a watchful eye over the security protocol, just published an advisory warning about a decade-old bug discovered by Japanese security researcher Masashi Kikuchi. Dubbed the CCS Injection Vulnerability, the bug allows attackers who are eavesdropping on a network to nab encrypted data during the “handshake” that establishes secure connections. During the handshake, the attacker can decrypt the data whilst forcing the servers to use weak encryption keys.
Luckily, there’s a fix for the bug published by Kikuchi’s employer Lepidum, but because the attack leaves no trace, we’ll never know how many times the it was exploited, if at all. [Lepidum via Wired]