Beware of SSL and OpenSSL Security Issues


In a previous post, we discussed why encryption is an absolutely essential component of IT security. Encryption makes data unreadable without an encryption key, preventing that data from being compromised even when other security tools fail. We also explained Advanced Encryption Standard (AES), which encrypts data in hardware, software and encrypted environments, as well as the importance of strong encryption keys and proper methods for storing these keys.

If encryption is so effective, one might ask why Secure-Socket Layer (SSL) encryption and OpenSSL have so many security holes. SSL is a networking protocol that manages server and client authentication and creates a secure, encrypted network connection between servers and clients. Similar to a driver’s license or passport, an SSL Certificate serves as the online identification of a domain and web server and must be authenticated before data is decrypted. OpenSSL is a general-purpose cryptography library that enables open-source implementation of SSL and Transport Layer Security (TLS). Approximately two-thirds of all web servers use OpenSSL.

As mentioned in the previous post, older SSL encryption code with weak 40-bit cryptography still exists in many web servers and browsers. This code could be cracked in a matter of hours, leaving millions of websites vulnerable to FREAK (factoring attack on RSA-EXPORT keys) attacks. In fact, University of Michigan researchers estimate that more than one-third of “encrypted” websites are vulnerable to such an attack. OpenSSL has a bug that makes it possible to accept weak RSA export-grade keys even when these keys haven’t been requested. Hackers can easily downgrade the security of a connection, making it easier to attack.

Another recent SSL issue stemmed from Logjam attacks. Although few Logjam attacks have been successful, a man-in-the-middle criminal could downgrade a vulnerable TLS connection to a code that’s easier to attack and then launch an attack. Patches for both Logjam and FREAK attacks have been released and should be deployed as soon as possible. If not, these security holes could be used to cause Denial-of-Service (DoS) attacks and memory corruption.

Yet another SSL vulnerability called POODLE (Padding Oracle on Downgraded Legacy Encryption) allows cyber criminals to steal a user’s password and private data to access a website. The POODLE problem led the Payment Card Industry Security Standards Council (PCI SSC) to announce that SSL 3.0 and TLS 1.0 are no longer secure enough to protect cardholder data. As a result, security experts warned organizations to stop using them immediately.

A set of 12 OpenSSL patches were released several months ago and must be deployed right away. Unless these holes are plugged, organizations will be susceptible to (DoS) attacks. Many organizations, and several Android apps, are still vulnerable to FREAK attacks, which are capable of penetrating a wide variety of servers and operating systems. It’s important to realize that many of these threats haven’t disappeared. They’re hiding in old code, waiting for a hole to exploit, so take steps now to deploy the latest patches and protect your data.