Second Open SSL flaw discovered

A second serious flaw has been found in the security software used to protect about two-thirds of all websites from cyber criminals, a month after the first, called Heartbleed, prompted consumers across the world to change their passwords.

The vulnerability was reported on Thursday in the Open SSL software, best known as the technology behind the padlock shown next to a web address, but it had existed for up to 10 years.

The organisation behind the open source technology said companies now need to update their software again to prevent so-called "man-in-the-middle attacks", where attackers can decrypt communication between a computer, and, for example, a public wifi network.

It is not known whether the flaw has been used, but attackers often pounce during the window after a vulnerability has been announced, and before every site has updated its software.

Nicholas J. Percoco, vice-president of strategic services at Rapid 7, a Boston-based cyber security company, explained the flaw probably affected "the majority of systems on the internet".

"A man-in-the-middle attack is dangerous because it can allow an attacker to intercept data that was presumed to be encrypted between a client (for example, an end user) and a server (for example, the online bank)," he said. "This attack is also passive in nature and may not be detected by a client, server or network-based security controls."

The flaw may not have been discovered for such a long time as the code behind the software is complex and few computer engineers are experts in it.

This latest discovery comes after the Heartbleed bug - one of the most significant breaches of internet security ever - was found in the same software at the beginning of April. The flaw enabled hackers to obtain any confidential data including passwords that were stored in a computer's short-term memory.

After Heartbleed was announced, companies including Google, Amazon, Yahoo and Facebook rushed to update their software. Those which did not make it in time, including the Canadian tax authority and the UK parenting site Mumsnet, suffered attacks. US regulators warned of the risk of criminals impersonating online banking sites and stealing passwords.

However, Symantec, another cyber security company, stressed this bug was not as serious as Heartbleed because it was much harder to execute and relied on the computer and the server being vulnerable already. Symantec advised consumers to avoid using unsecured wifi, to change passwords regularly and not use the same password for different sites.

The non-profit organisation behind the widely used open source software has complained of being chronically under-resourced - before the Heartbleed bug announcement it ran on less than the equivalent of two full-time engineers.

Since then, Microsoft, Google and Salesforce are among a long list of technology companies that have formed the Core Infrastructure Initiative to fund Open SSL and other crucial building blocks of the internet.

© The Financial Times Limited 2014. All rights reserved.
FT and Financial Times are trademarks of the Financial Times Ltd.
Not to be redistributed, copied or modified in any way.
Euro2day.gr is solely responsible for providing this translation and the Financial Times Limited does not accept any liability for the accuracy or quality of the translation