OpenSSL president: Latest flaw is no Heartbleed but prepare for more bugs

heartbleed

The president of the OpenSSL Software Foundation has said the latest security issue in OpenSSL is not in the same league as the Heartbleed flaw that came to light in April but admitted it has the potential to be a serious problem.

The latest scare relates to a flaw that had been lying dormant in the technology for 16 years and that could allow attackers to carry out man-in-the-middle attacks if servers were running certain versions of the software.

Steve Marquess, also the co-founder of the OpenSSL Software Foundation, told V3 the issue was not as big as Heartbleed, as most web users would not be affected.

“In short, it is a potentially serious flaw (though no exploits ‘in the wild’ are known), but not in the same class as ‘Heartbleed’. The typical browser user (IE, Firefox, Safari) is unaffected.”

Marquess added he expects to see more vulnerabilities around OpenSSL come to light in the near future due to increased scrutiny of the code, which he said was not necessarily a bad thing.

“We do expect to see an increase, at least in the short term, in vulnerability reports. That is due to two factors. One is the heightened awareness and interest in OpenSSL overall, thanks to recent publicity,” he said.

“The other is that thanks to recent and welcome financial support the amount of qualified manpower dedicated to OpenSSL support has approximately tripled. In both cases more ‘eyeballs’ on the job means more issues will be found. All complex software has bugs so this enhanced scrutiny is a good thing.”

More staff working full time on OpenSSL is something that Marquess said was a must for the technology after he criticised the tech community for not doing more to support OpenSSL in the fallout from the Heartbleed bug.

Marquess also said there were more improvements planned for OpenSSL that would be announced soon.

6 June 2014 | 2:24 pm – Source: v3.co.uk
———————————————————————————————————————

Leave a Reply

Your email address will not be published.