On 26 June, two researchers working on the Google/Boring SSL project found that there was a problem with the latest versions of the technology: 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
According to Ivan Ristic, director of engineering at Qualys because the problem was identified very early on, the effect has been negligible. “It's a very serious issue,” he said, “but it doesn't affect a large number of users.” It's a problem that's only found on Android and Chrome and only the most up-to-date version, he added.
Because of this, he said, the vulnerability would not lead to the sort of problems that Heartbleed had caused. “Heartbleed had time to propagate,” he said, “because the new vulnerabilities were so fresh, users wouldn't have had time to use them.”
There was also the question of who the users were. “Most people get Open SSL from the operating system but it was discovered so quickly, the operating systems vendors hadn't upgraded. You'll get the few people on the cutting edge who use them on their servers, but because they are on the cutting edge, they'll be fully aware of this,” he said.
However, Tim Erlin, director of security and product management for Tripwire said users shouldn't be too complacent. “This latest vulnerability is severe because it allows for an attack on the chain of trust, i.e. validation, of certificates used in the OpenSSL encryption process. That's pretty fundamental to the service provided by OpenSSL, but it's only ‘shocking' or newsworthy if it were a surprise and we could speculate on how it's been exploited in the past.”
Ristic said that while these flaws were not to be underestimated, researchers were getting better at identifying them. “People are paying attention these days: there has a been shift since 2008, suddenly there's been a critical mass of people who care,” he said. “You have to remember that OSSL had been maintained by two guys working from their bedroom. They cared but it's definitely difficult to do properly with those sorts of resources, now there's more money and more people looking after it.”
Erlin said the security community could be more sophisticated about how they handle vulnerabilities. “As a community, we're experiencing one of the downsides of a low/medium/high ranking system for vulnerabilities, which is what the OpenSSL Security Policy uses. These broad categories don't allow for some fairly important differentiation between vulnerabilities that are all considered ‘high',” he said.
There should be greater granularity, he added. “OpenSSL could use a more effective set of rankings, or even the Common Vulnerability Scoring System (CVSS), as a means to provide greater distinction. That would help organisations prepare more effectively.”