Articles about openssl

Milos Prvulovic and Alenka Zajic at Georgia Tech

May the May update be with you: OpenSSL key sniffed from radio signal

If you missed the OpenSSL update released in May, go back and get it: a Georgia Tech team recovered a 2048-bit RSA key from OpenSSL using smartphone processor radio emissions, in a single pass. The good news is that their attack was on OpenSSL 1.1.0g, which was released last November, and the library has been updated since …
Shutterstock tools

The week that QoS in networking, aka WAN, RAN, thank you ma'am

Roundup Nokia has claimed a first by demonstrating a cloud-based radio access network (RAN) running on an operational carrier network. The demonstration was on the Orange network in Poland. The March – May 2018 trial used Nokia's AirScale Cloud RAN, and was designed to help both carrier and vendor get ready for 5G deployments. The …
grave

OpenSSL alpha adds TLS 1.3 support

Developers working with OpenSSL can finally start to work with TLS 1.3, thanks to the alpha version of OpenSSL 1.1.1 that landed yesterday. Getting TLS 1.3 into users hands and working with infrastructure has been a long, slow process: the first version of its Internet-Draft dates back to April 2014, it reached version 23 in …
padlock

Optimus multi-prime is the new rule as OpenSSL transforms crypto policies again

OpenSSL's maintainers have put the squeeze on insecure ciphers, with a raft of changes to how the project's operations. The changes were announced here following an OpenSSL management committee (OMC) meeting in London. The cryptography policy changes include making sure insecure configurations aren't enabled by default, but …

Inside OpenSSL's battle to change its license: Coders' rights, tech giants, patents and more

Analysis The OpenSSL project, possibly the most widely used open-source cryptographic software, has a license to kill – specifically its own. But its effort to obtain permission to rewrite contributors' rights runs the risk of alienating the community that sustains it. The software is licensed under the OpenSSL License, which includes …
Thomas Claburn, 24 Mar 2017
Dead Cockroach - shutterstock

OpenSSL pushes trio of DoS-busting patches

OpenSSL's released patches for a trio of denial-of-service bugs. The first (CVE-2017-3731), turned up by Google's Robert Święcki, only affects SSL/TLS servers running on 32-bit hosts. Depending on the cipher the host is using, a truncated packet crashes the system by triggering an out-of-bounds read. It's version-specific: …
Stormtrooper heart photo via shutterstock

It's 2017 and 200,000 services still have unpatched Heartbleeds

Some 200,000 systems are still susceptible to Heartbleed more than two years and 9 months after the huge vulnerability was disclosed. Patching efforts spiked after news dropped in April 2014 of the world's most well-known and at the time then most catastrophic bug. The vulnerability (CVE-2014-0160) that established the …
Darren Pauli, 23 Jan 2017
Bear attack

What do you give a bear that wants to fork SSL? Whatever it wants!

Into a world already crowded with big name alternatives to OpenSSL, an indy project could look like “yet another SSL implementation,” but Vulture South suspects there are good reasons to take a close look at the just-launched BearSSL. One is that its author, Thomas Pornin, has ignored the kinds of legacy protocols that occupy …

Patch AGAIN: OpenSSL security fixes now need their own security fixes

Sysadmins and devs, fresh from a weekend spoiled by last week's OpenSSL emergency patch, have another emergency patch to install. One of last week's fixes, for CVE-2016-6307, created CVE-2016-6309, a dangling pointer security vulnerability. As the fresh advisory states: “The patch applied to address CVE-2016-6307 resulted in …
Team Register, 26 Sep 2016
band_aid_patching_648

OpenSSL swats a dozen bugs, one notable nasty

A dozen flaws have been patched in OpenSSL, including one high severity hole that allows denial of service attacks. The OpenSSL Project pushed patches in versions 1.1.0a, 1.0.2i and 1.0.1u, with most of the flaws flagged as low severity risks. The nastiest vulnerability (CVE-2016-6304) results when attackers issue a massive …
Team Register, 23 Sep 2016

Yay! It's International Patch Your Scary OpenSSL Bugs Day!

Six security patches – two of them high severity – have been released today for OpenSSL 1.0.1 and 1.0.2. Last week, the open-source crypto-library project warned that a bunch of fixes were incoming, and true enough, Tuesday’s updates address serious flaws that should be installed as soon as possible. CVE-2016-2108 is a …
Iain Thomson, 3 May 2016

Batten down the hatches! OpenSSL preps fix for high impact vuln

Sysadmins, brace yourselves: OpenSSL has announced upcoming security fixes will fix a “high” impact flaw. Every OpenSSL release since the infamous Heartbleed vulnerability1 of April 2014 has been met with nervous anticipation, and that applies as much to the upcoming 1.0.2h, 1.0.1t releases as others before it. The last major …
John Leyden, 28 Apr 2016

Awoogah – brown alert: OpenSSL preps 'high severity' security fixes

Developers behind the widely used OpenSSL encryption library have warned that they will issue fixes for a mix of bugs next Tuesday (1 March). The patches will land right in the middle of the RSA Conference, infosec marketing's version of the Superbowl. It's understood the bugs are significant (as in, patch as soon as you can …
John Leyden, 25 Feb 2016

OpenSSL fixes bug, gets dissed by German gov: That's so random ... not

Days after fixing a rare but dangerous key recovery attack, the developers of OpenSSL have been dealt a fresh blow with a poor review of the technology from a German government agency. An extensive security study and code review on OpenSSL by Sirrix AG (and sponsored by the BSI (Bundesamt für Sicherheit in der …
John Leyden, 4 Feb 2016

OpenSSL patch quashes rare HTTPS nasty, shores up crypto chops

OpenSSL maintainers have pushed a pair of patches, crushing a dangerous but uncommon bug that allows HTTPS to be unravelled while also hardening servers against downgrade attacks. Affected servers are open to key recovery attacks only if it runs certain Digital Signature Algorithm and static Diffie-Hellman key exchange …
Team Register, 29 Jan 2016
Cash on scales. Pic: Images Money, Flickr

Netherlands votes to splash cash on encryption projects

The Netherlands' Lower House has thrown its weight behind a plan to improve key open source security solutions, and has voted €500,000 towards a range of projects. Swimming against the European tide somewhat, the house said it wants to strengthen data encryption, rather than weakening it. Originally, D66 MP Kees Verhoeven had …

Feared OpenSSL vulnerability gets patched, forgery issue resolved

The promised patch against a high severity bug in Open SSL is out, resolving a certificate forgery risk in many implementations of the crypto protocol. Versions 1.0.1n and 1.0.2b of OpenSSL need fixing to resolve a bug that created a means for hackers to run crypto attacks that circumvent certificate warnings, as an advisory …
John Leyden, 9 Jul 2015

Awoogah: Get ready to patch 'severe' bug in OpenSSL this Thursday

Sysadmins and anyone else with systems running OpenSSL code: a new version of the open-source crypto library will be released this week to "fix a single security defect classified as 'high' severity." The bug, we're told, will be addressed in versions 1.0.2d and 1.0.1p of the software. The vulnerability does not affect the 1.0 …

Create a news alert about openssl, or find more stories about openssl.

Biting the hand that feeds IT © 1998–2018