The Internet had a collective panic attack in April when researchers disclosed a major security flaw in an encryption library used by servers across the Web to secure sensitive Web traffic against digital snooping. The bug, termed "Heartbleed," allowed hackers to grab the random bits of data, potentially exposing users passwords and encryption keys.
There was a mad rush to fix the problem, which affected some major tech companies, including Yahoo and Google. But security experts say servers vulnerable to coding bugs on a open source encryption library known as OpenSSL are still out there in the digital wild.
On Thursday, OpenSSL disclosed a handful of new bugs discovered since Heartbleed and also shared the fixes. The most significant of the issues left some users vulnerable to a man-in-the-middle attack, in which a hacker can jump between users and online services and trick them into using weak encryption keys that could allow the hackers to intercept or even modify traffic. Security experts say the problem appears to have existed in some versions of the code dating back as far as 1998.
But executing an attack via this bug would require a pretty specific set of circumstances: Both the server and the end user's client (a browser, another type of software package that connects online, or the connection on an embedded device) need to be using an affected version. Plus, the bad guy has to be somewhere between the both of them, be it sniffing on an open coffee shop wireless or somewhere with access at the Internet Service Provider level, said Nicholas J. Percoco, vice president of strategic services at cybersecurity firm Rapid7.
And major desktop browsers including Chrome, Firefox, Safari and Internet Explorer aren't at risk, according to security experts, although Google did release an update of Chrome for Android on Thursday to address issues related to OpenSSL. Most experts agree that the specific circumstances needed to mount this type of attack makes it less serious that Heartbleed, but Percoco said the bug still raises a number of issues.
Chief among them, he said, is that, although this bug was recently discovered by a Japanese security researcher working at cybersecurity firm Lepidum, that worker might not have been the first person to find it. Because the man-in-the-middle attack works by tricking both the user and the server simultaneously and has been around for a long time, Percoco said there's no way to know if an individual hacker or even a group may have been exploiting it for years. Percoco said the bug could be a threat to some "embedded" devices, such as Internet-connected kitchen appliances that run older versions of the OpenSSL and do not have a way to update.
The recently discovered OpenSSL bugs are the latest in a string of incidents that call into question the security of open source tools that many Web sites rely on to protect sensitive information. “It doesn't surprise me that we are seeing a number of new reported flaws in OpenSSL,” HyTrust chief architect Steve Pate said in a statement. “After the Heartbleed bug was announced, one thing we could guarantee was that all eyes would be on the OpenSSL source code, scrutinizing it for issues.”
Indeed, Masashi Kikuchi, the researcher who detected the man-in-the-middle bug with OpenSSL, said he found it when he started taking a closer look at OpenSSL after learning about Heartbleed.
And he's not the only one. At the time Heartbleed was disclosed, many wondered why a security tool so widely deployed was being maintained by a lone employee working out of his house near Frederick, Md., and a volunteer force of less than a dozen developers around the world. Compared to some for-profit projects, Percoco said, OpenSSL and other open source encryption tools are "extremely under-resourced."
Often, open source projects aren't put through the same the same level of testing that privately-developed tools are, he said. However, Percoco also noted that there is a trade-off. Tools developed in the open can be audited by a member of the public at any time. Think of it as crowdsourcing security.
But Heartbleed and other high-profile issues with open source security tools, like the mysterious situation with TrueCrypt, may suggest that's not enough, security experts say.
Weeks after the Heartbleed disclosure, a coalition of major tech companies and the Linux Foundation joined together to create the Core Infrastructure Initiative -- committing millions over the next few years to maintain and support open source tools deemed key to keeping the Internet running smoothly. What was the first project they announced they'd be supporting? OpenSSL.