![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Entry tags:
In addition to Heatbleed, there's another serious vulnerability in OpenSSL
There's a concept called a man in the middle attack, you can think of it as someone listening in on your phone call so they here both sides of the conversation. In the way the internet works, it's doable, but not as easily. Well, this bug makes it kind of easy.
If you're able to position yourself between two computers that are both using certain versions of OpenSSL for encryption and privacy, then the middle man has the ability to intercept the encrypted packets when they're trying to establish the secure session and tell both hosts, silently, to switch to a weaker form of crypto. A form that presumably the middle man knows how to break.
So if you updated your OpenSSL software for Heartbleed, now you get to update it again.
OpenSSL is used a lot, but is not universal on the internet. One place where it is used heavily: Android smartphones and presumably tablets.
http://www.wired.com/2014/06/heartbleed-redux-another-gaping-wound-in-ssl-uncovered/
If you're able to position yourself between two computers that are both using certain versions of OpenSSL for encryption and privacy, then the middle man has the ability to intercept the encrypted packets when they're trying to establish the secure session and tell both hosts, silently, to switch to a weaker form of crypto. A form that presumably the middle man knows how to break.
So if you updated your OpenSSL software for Heartbleed, now you get to update it again.
OpenSSL is used a lot, but is not universal on the internet. One place where it is used heavily: Android smartphones and presumably tablets.
http://www.wired.com/2014/06/heartbleed-redux-another-gaping-wound-in-ssl-uncovered/