Monday, April 7, 2014

SS'more SSL SSuckage

Today's nasty flaw is a critical weakness in certain versions of OpenSSL, which can expose private keys and credentials and apparently has been part of OpenSSL for at least two years.

Although Mac OS X's built-in SSL library is based on OpenSSL, no version that shipped with any version of Mac OS X (even 10.9) is vulnerable to this particular bug; the issue only exists in OpenSSL 1.0.1 through 1.0.1f and 10.4-10.9 are based on either 0.9.7 or 0.9.8. However, this could be a problem for our Linux users, and an application that ships with an updated version of OpenSSL (or MacPorts, Fink or Tigerbrew/Homebrew users who built their own OpenSSL) could also be vulnerable. And, of course, there may be other issues with OS X's built-in SSL library that have not been patched either.

TenFourFox is not vulnerable to this problem directly because we use NSS, not OpenSSL, which is a very different SSL library. Unfortunately, the attack method is straightforward and does not appear to leave any trace, so it's entirely possible for a service you use to have been victimized already without their knowledge. If that's the case, an attacker can masquerade as that site and present an entirely legitimate certificate which any browser will accept, since it's signed with a perfectly valid private key. We really have no idea how deep this rabbit hole goes.

No comments:

Post a Comment

Due to an increased frequency of spam, comments are now subject to moderation.