Critical OpenSSL Flaw Allows Hackers to Impersonate Any Trusted SSL Certificate
Jul 09, 2015
The mysterious security vulnerability in the widely used OpenSSL code library is neither HeartBleed nor FREAK, but it's critical enough to be patched by sysadmins without any delay. OpenSSL Foundation released the promised patch against a high severity vulnerability in OpenSSL versions 1.0.1n and 1.0.2b, resolving a certificate forgery issue in the implementations of the crypto protocol. The critical vulnerability could allow man-in-the-middle attackers to impersonate cryptographically protected websites, virtual private networks, or e-mail servers, and snoop on encrypted Internet traffic. The vulnerability, ( CVE-2015-1793 ), is due to a problem lies in the certificate verification process. An error in its implementation skipped some security checks on new, untrusted certificates. By exploiting this vulnerability, an attacker could circumvent certificate warnings that enable them to force applications into treating an invalid certificate as a legitimate Certificat...
