Issues Patch for Server Vulnerability

By Chris Preimesberger  |  Posted 2005-10-11 Print this article Print

The flaw could allow a hacker to force an OpenSSL-enabled site to use the outdated—and potentially insecure—SSL version 2.0 protocol. Project on Tuesday released a software update to fix a flaw in all previously released versions of OpenSSL—up to versions 0.9.7h and 0.9.8a—that could allow hackers to compromise ostensibly secure Web servers. The vulnerability could allow a hacker to force an OpenSSL-enabled site to use the outdated—and potentially insecure—SSL version 2.0 protocol. A number of secure Web sites allow visitors to connect using earlier versions of SSL (Secure Sockets Layer), an option which can be enabled by OpenSSLs SSL_OP_ALL setting.
Web servers normally default to the most current encryption protocol supported by the users browser—usually TLS or SSL version 3, OpenSSL said.
But a flaw in the SSL_OP_ALL implementation could allow an attacker to trick the server into using SSL 2.0, OpenSSL said. "With this verification step disabled, an attacker acting as a "man in the middle" can force a client and a server to negotiate the SSL 2.0 protocol, even if these parties both support SSL 3.0 or TLS 1.0," the OpenSSL advisory says. "The SSL 2.0 protocol is known to have severe cryptographic weaknesses and is supported as a fallback only." The OpenSSL Project advises users to either upgrade their server software with the latest version or disable SSL 2.0 entirely. "If this version upgrade is not an option at the present time, alternatively the following patch may be applied to the OpenSSL source code to resolve the problem. "The patch is compatible with the 0.9.6, 0.9.7, and 0.9.8 branches of OpenSSL," OpenSSL said. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Chris Preimesberger Chris Preimesberger was named Editor-in-Chief of Features & Analysis at eWEEK in November 2011. Previously he served eWEEK as Senior Writer, covering a range of IT sectors that include data center systems, cloud computing, storage, virtualization, green IT, e-discovery and IT governance. His blog, Storage Station, is considered a go-to information source. Chris won a national Folio Award for magazine writing in November 2011 for a cover story on and CEO-founder Marc Benioff, and he has served as a judge for the SIIA Codie Awards since 2005. In previous IT journalism, Chris was a founding editor of both IT Manager's Journal and and was managing editor of Software Development magazine. His diverse resume also includes: sportswriter for the Los Angeles Daily News, covering NCAA and NBA basketball, television critic for the Palo Alto Times Tribune, and Sports Information Director at Stanford University. He has served as a correspondent for The Associated Press, covering Stanford and NCAA tournament basketball, since 1983. He has covered a number of major events, including the 1984 Democratic National Convention, a Presidential press conference at the White House in 1993, the Emmy Awards (three times), two Rose Bowls, the Fiesta Bowl, several NCAA men's and women's basketball tournaments, a Formula One Grand Prix auto race, a heavyweight boxing championship bout (Ali vs. Spinks, 1978), and the 1985 Super Bowl. A 1975 graduate of Pepperdine University in Malibu, Calif., Chris has won more than a dozen regional and national awards for his work. He and his wife, Rebecca, have four children and reside in Redwood City, Calif.Follow on Twitter: editingwhiz

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel