JavaScript disabled. Please enable JavaScript to use My News, My Clippings, My Comments and user settings.

If you have trouble accessing our login form below, you can go to our login page.

If you have trouble accessing our login form below, you can go to our login page.

New OpenSSL flaw shakes faith in online security

Date

Adam Turner

Zoom in on this story. Explore all there is to know.

Just like privacy, is it time to assume that security is dead?

Just like privacy, is it time to assume that security is dead? Photo: Reuters

Hot on the heels of Heartbleed, a 10 year-old OpenSSL flaw has emerge letting hackers intercept supposedly secure traffic.

For years we've been taught that the presence of the SSL encryption padlock is enough to assure us that we're safe online, but clearly it's not. In the last few months we've seen a bug in the way Apple gadgets authenticate secure websites, followed by the Heartbleed flaw which shook online security to its foundations and left many of the web's biggest names open to attack. It's difficult to overstate their severity.

As if that wasn't enough to shake your faith in online security, now the OpenSSL Foundation has unveiled details of a decade-old flaw which lets hackers intercept supposedly secure traffic passing through public wi-fi hotspots. Only this week I questioned the wisdom of using public wi-fi rather than mobile broadband, but I was accused of scaremongering by some who felt that SSL encryption keeps you safe no matter what. This clearly is not the case, and services which rely on OpenSSL security have been vulnerable to this bug for a decade via man-in-the-middle attacks.

It's important to note that none of these security flaws actually involve cracking OpenSSL encryption, they simply involve ways of bypassing it. It's like knowing that your front door's deadlock is tamper-proof, but not realising that you've left open a window. Regardless of your faith in encryption algorithms, we have to concede that more windows have been left open in OpenSSL than anyone suspected.

It's easy to take this latest security breach as an excuse to bash the open source concept, but it's naive to think that proprietary SSL encryption platforms are somehow immune to flaws. The fact of the matter is that nothing is foolproof. If fundamental flaws in one of the world's most widely used encryption systems can go undiscovered for years, what other bugs are still lurking in the shadows in OpenSSL and other SSL systems? Who already knows about them but has chosen to keep quiet?

After Heartbleed the web giants which rely on OpenSSL have promised to commit more resources to the project, but the last few months have shown that you can never assume that online security is actually secure.

Just like privacy, is it time to assume that security is dead? How do you stay safe online?

Read more posts from Adam Turner's Gadgets on the Go blog.

14 comments so far

  • Where is this listed as a "10 year-old OpenSSL flaw"? This was submitted to the OpenSSL bug team on 1 May 2014:

    "Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
    researching this issue. This issue was reported to OpenSSL on 1st May
    2014 via JPCERT/CC."
    http://www.openssl.org/news/secadv_20140605.txt

    If you're referring to Heartbleed as a 10 year-old flaw, then hire a better copy editor.

    Commenter
    anonymous
    Date and time
    June 06, 2014, 3:20PM
    • It is pretty obvious that the journo isn't referring to heartbleed as a 10 year-old flaw. Perhaps a comprenhension coach is needed.

      Commenter
      Thriller
      Date and time
      June 06, 2014, 7:14PM
  • This new bug (not Heartbleed) was reported one May 1 but has been in the OpenSSL code for more than 10 years.

    Commenter
    Adam Turner
    Date and time
    June 06, 2014, 3:52PM
    • Zing!

      Commenter
      The Frase
      Date and time
      June 06, 2014, 4:34PM
    • So, what, (if anything), are they going to do about it?

      Commenter
      Christopher Souter
      Location
      Homebush West, NSW
      Date and time
      June 06, 2014, 7:33PM
    • I think it means that for the previous 10 years it was a feature, and not a bug...

      Commenter
      That guy
      Location
      the internet
      Date and time
      June 07, 2014, 8:06PM
  • Don't use open source software? At least there is a level of proprietary!

    But then i'm sure clever hacker, if intend to find faults will find it, and worst it won't be reported, then same argument could applied to open source. However for opensource, the fault maybe overlooked due to lack of resources, lack of motivations and relatively lack of control. At least with the proprietary stuff, you can find someone responsible e.g. company XYZ.

    Commenter
    Gerson
    Location
    Sydney
    Date and time
    June 06, 2014, 4:47PM
    • With this Liberals government's tough budget and leaving the young to fend for themselves. Expect more University grads hacking and cracking computer systems as they can't find any honest work.

      Commenter
      Great Sir Paul
      Location
      Sydney
      Date and time
      June 06, 2014, 4:53PM
      • As you have highlighted there are many flaws with Internet transaction- so why the big who ha ?

        Commenter
        I user
        Date and time
        June 06, 2014, 5:12PM
        • The internet is a snake pit.

          Commenter
          Lunk
          Date and time
          June 06, 2014, 9:10PM

          More comments

          Make a comment

          You are logged in as [Logout]

          All information entered below may be published.

          Error: Please enter your screen name.

          Error: Your Screen Name must be less than 255 characters.

          Error: Your Location must be less than 255 characters.

          Error: Please enter your comment.

          Error: Your Message must be less than 300 words.

          Post to

          You need to have read and accepted the Conditions of Use.

          Thank you

          Your comment has been submitted for approval.

          Comments are moderated and are generally published if they are on-topic and not abusive.

          Advertisement
          Featured advertisers
          Advertisement