So OpenSSL is being patched again, very shortly after the Heartbleed Bug was fixed. According to the OpenSSL Security Advisory, multiple security vulnerabilities affecting the security layer have been recently discovered. One of the security threats actually allowed an attacker to see and modify traffic between an OpenSSL server and the client. While this news might seem bad, finding these vulnerabilities indicate that OpenSSL is frequently monitored by security professionals, and the appropriate steps are being followed to patch these vulnerabilities. This in turn makes OpenSSL a more secure implementation of the protocols SSL/TLS (Secure Socket Layer/Transport Layer Security).
But after OpenSSL’s vulnerabilities are fixed, a bigger issue comes into play. Will people will be able to deploy the new patch fast enough? Do companies want to pull down servers to implement the new patch? Doing so could potentially cost them clients, views or usability of the server while the patch is being applied. Or is it better for a company to wait when their website doesn’t have much activity, like at night? Doing so could put their customer data at risk, as the older version of SSL would still be on their site until later that night. However, while both situations have pros and cons, I believe it’s better for a company to deploy the patched version as soon as possible.
Why should a company choose to patch OpenSSL as soon as possible? It’s simple: increased security. No one wants an attacker stealing valuable information such as PII (Personal Identifiable Information), account names, passwords or even credit card numbers. Leaving this unsecure can open you up to multiple attacks from several attackers. If you’re a system administrator, patch your OpenSSL and keep an eye out for newer updates that might be being released. If you’re just a regular user, update your open SSL with the patches found on OpenSSL's website to protect yourself. Typically, desktop web browsers don’t use OpenSSL, so you don’t have to worry that much if you’re just browsing the web. The exploit relies on OpenSSL being on both ends of the secure communication.
While OpenSSL has been plagued by bugs, it’s not to be thought of as unsecure. Remember that the discovery of weaknesses and vulnerabilities help to contribute to a more secure environment for SSL and TLS.
For more information about how to advance your career as a cyber security professional, have a look at some of Advanced Security's in-classroom and online cyber-security training.