The web is still reeling from the aftereffects of the Heartbleed bug and here we are now, with yet another bug discovered in OpenSSL. This bug allows an attacker to launch a man-in-the-middle attack, tapping into private communications and modifying traffic.
The bug is present only when the communication is taking place between an OpenSSL client and an OpenSSL server. This is often not the case and the bug works with only specific versions of OpenSSL server, so its scope is fairly limited. However, the fact that it works exclusively with two secure communication end-points reflects rather bad on OpenSSL.
An attacker trying to make use of this bug can easily launch a man-in-the-middle attack, tapping into the private communications of the client and the server machines. Although the bug is present in all the client versions of OpenSSL, it afflicts only version 1.0.1 and 1.0.2-Beta1 of OpenSSL server. Since the bug works only when both the client and server machines are susceptible to it, you may want to be on the alert if you have any of the aforementioned OpenSSL server versions.
For the average internet user out there, this is nothing to be worked up about. According to security experts, this particular vulnerability doesn’t affect the security of all the major browsing platforms such as Chrome for Desktop, Internet Explorer, Safari, iOS and Firefox.
It must also be noted here that the security experts are suddenly finding faults with the OpenSSL protocol because it is being more closely reviewed in the wake of the Heartbleed bug. This doesn’t mean that OpenSSL is a vulnerable protocol. Rather, it simply means that the protocol is being made more safe and secure with the help of the community at large, something that should have been done in the first place.