The OpenSSL team has announced a new security vulnerability, which it is labeling SSL/TLS MITM.
The new vulnerability comes on the heels of the “Heartbleed” bug, which made headlines around the world with its memorable title and dangerous capabilities. While the risk associated with the dimly named SSL/TLS MITM is lower, it still does pose concern.
The most significant issue is a “man in the middle” vulnerability that could allow an attacker to eavesdrop on secure communication between a client and servers without being detected.
For instance, an attacker could set up a fake WiFi access point at a coffee shop and intercept and decrypt data being sent from your laptop to your bank without causing an SSL certificate warning to appear in your web browser.
The bug is in both client and server code. Most clients do not use OpenSSL, so the burden is mainly on the server side to patch this hole. Work is already underway to do so.
This is a good opportunity to reinforce the need to pay close attention to SSL certificate warnings whenever you are accessing secured financial, shopping, or business resources. If you see a warning about the SSL certificate for the site, you should be very careful before proceeding.
Here are some tips to keep yourself safe:
- If the warning is for your corporate email, VPN, or remote access, contact your IT support staff.
- If the warning is for a banking or online shopping site, try using an alternate web browser. If the same error occurs, you should try again from another location (if traveling) or contact the company’s customer support line.
- If you ignore a certificate warning and are being targeted by a hacker, your login information, credit card/account information, or other personal data could be stolen.
Stay safe out there.
For more information, contact the Citon support team: