Severe vulnerability found in OpenSSL just months after Heartbleed

Would you use a plug-in that tells you when you write "sorry" "just" or "I think" in an e-mail?. Michael Smith/Newsmakers/File

TORONTO – Another major security vulnerability has been discovered in OpenSSL encryption technology, leaving users vulnerable to man-in-the-middle-style attacks.

The OpenSSL Foundation published a security advisory Thursday warning websites to update code to fix a decade-old bug that would allow an attacker to eavesdrop on network traffic and decrypt the information.

A patch has been issued to correct the vulnerability and websites are being urged to upgrade their software immediately.

The new vulnerability comes just two months after the widespread Heartbleed bug was discovered.

Heartbleed, which some experts called the biggest security vulnerability in the history of the Internet, was a flaw found in a line of code in OpenSSL.

READ MORE: What is the Heartbleed bug and why is it a big deal?

The security flaw created an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic is secure. Heartbleed allowed attackers to snoop on Internet traffic even if the padlock icon was closed.

Story continues below advertisement

The new vulnerability, found by security researcher Masashi Kikuchi, affects a portion of the “handshake” that establishes an encrypted connection. An attacker would be able to force the computer and the server to use a weak key that would allow them to decrypt the traffic.

Breaking news from Canada and around the world sent to your email, as it happens.

“The attack can only be performed between a vulnerable client and server. OpenSSL clients are vulnerable in all versions of OpenSSL,” read the advisory.

According to the security advisory, OpenSSL was alerted to the issue on May 1 – however, Kikuchi says the bug has existed since the very first release of OpenSSL.

The Heartbleed bug went undetected for two years.

After the Heartbleed bug was discovered, many experts called on the security community to step up and help run security audits on OpenSSL – an open-source project.

READ MORE: Heartbleed may lead to more security audits, advanced security services

“The team that works on OpenSSL is very small and they do very good work, but there are a lot of lines of code and this was exploiting a very small piece of the OpenSSL package,” said Chris Parsons, a post-doctoral fellow with the Citizen Lab at the Munk School of Global Affairs during the Heartbleed bug fallout.

Story continues below advertisement

In April, over a dozen tech giants, including Google, Microsoft and Facebook, joined forces to help fund OpenSSL, donating $100,000 each per year for the next three years to help the project.

Sponsored content