Free Republic

OpenSSL today pushed out fixes for six security vulnerabilities – including a flaw that enables man-in-the-middle (MITM) eavesdropping on encrypted connections, and another that allows miscreants to drop malware on at-risk systems.A DTLS invalid fragment bug (CVE-2014-0195, affects versions 0.9.8, 1.0.0 and 1.0.1) can be used to inject malicious code into vulnerable software on apps or servers. DTLS is more or less classic TLS encryption over UDP rather than TCP, and is used to secure live streams of video, voice chat and so on.However an SSL/TLS MITM vulnerability (CVE-2014-0224, potentially affects all clients, and servers running 1.0.1 and 1.0.2-beta1) is...

This week web experts discovered a huge flaw in the security software used by millions of Web sites — including many banks, email and social media services. Some sites have likened the breach to leaving your front door unlocked, and anyone who knows how to open the door can intrude and expose your confidential information. Unfortunately, the fix isn’t as simple as locking the door from inside your house. The code vulnerability exists within layers of secure Internet server coding. So how does this affect you? * This week web experts discovered a huge flaw in the security software used...

Researchers have uncovered an extremely critical vulnerability in recent versions of OpenSSL, a technology that allows millions of Web sites to encrypt communications with visitors. Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.

A serious vulnerability in the popular OpenSSL cryptographic library has been discovered that allows attackers to steal information unnoticed. Known as the Heartbleed bug, the vulnerability allows anyone on the Internet to read the memory of systems that run vulnerable versions of OpenSSL, revealing the secret authentication and encryption keys to protect the traffic. User names, passwords and the actual content of the communications can also be read. ... OpenSSL recommends that uses immediately upgrade to version 1.0.1g. If that's not possible, users should recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag to remove the the heartbeat handshake. The 1.0.2 version of...