OpenSSL’s crypto library recently received an emergency patch (version 1.1.0e update) for a severe vulnerability first reported in January by Red Hat’s Joe Orton. According to the original security advisory posted by the OpenSSL Software Foundation, (CVE-2017-3733) occurs during “a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa).” Through this, OpenSSL can crash with both clients and servers suffering the effects.
The reason why this vulnerability was so severe is rather self-explanatory. OpenSSL serves a vast number (roughly 70 percent) of websites and is officially backed by, as Threatpost notes in their article about this story, tech giants like the Linux Foundation, Microsoft, Facebook, Amazon, Dell, and Google (on top of thousands of independent projects).
If the OpenSSL crypto library crashes, it leaves users open to numerous attacks, such as eavesdropping via man-in-the-middle attacks, due to the lack of encrypted communication. It also will cause the user to be unable to verify the identity of the other individual in a line of communication, leading to the possible spoofing of a hacker’s true identity as a legitimate source.
With OpenSSL having so many issues through the years, including the Heartbleed vulnerability that still poses a threat to roughly 200,000 servers, one has to wonder if more alternatives should be pursued. After the Heartbleed debacle, there were alternatives like LibreSSL (which forked from OpenSSL) that were created as a reaction to the vast amount of damage done.
It is this line of thinking that needs to be pursued further, in my opinion, as severe vulnerabilities like (CVE-2017-3733) are only the most recent in a long line of issues. These issues have been exploited by black hats and nation-states (most notably the NSA as noted by Edward Snowden in his brave display of whistleblowing) and it will likely continue.
Performing an overhaul to totally replace OpenSSL may be a bit extreme to some, but as this recent vulnerability highlights, we cannot continue to believe that this is working effectively anymore.
