New Vulnerability in OpenSSL Could Allow Attackers to Intercept Secure Communications

A new weakness in OpenSSL could allow attackers to hijack secure communications by tricking a targeted computer into accepting invalid and untrusted SSL certificates as valid certificates. This could help facilitate man-in-the-middle (MITM) attacks, where attackers eavesdrop on connections with secure websites such as online banking, ecommerce or email. This means that any data that a user sends to a website can be intercepted by the eavesdropping attacker- including user login credentials.

The purpose of SSL certificates is to verify that the website is what it claims to be. They also signify secure, encrypted connections between users’ devices and legitimate websites. You can tell when encryption is enabled by making sure that a little green padlock appears in front of the web address of the website you are visiting. 

For a deeper dive into how this technology works, you can check out “SSL Certificates: What Consumers Need to Know.”

 

Unfortunately, bugs are commonly found in software these days. We have seen many different forms of this bug in the past. In April of 2014, the high profile bug Heartbleed, allowed attackers to intercept secure communications and steal sensitive user information such as login credentials, and personal data. In October of 2014, the POODLE vulnerability was discovered in an older version of SSL, & SSL 3.0. In early March of this year a vulnerability known as FREAK was discovered. FREAK could allow attackers to intercept and decrypt encrypted traffic via a MitM attack

 

How To Stay Safe
This new software bug will not directly affect most Norton customers. Any large websites that have this bug in it should be quick to act and apply the latest software update to fix the issue, so you really don’t have to worry.

If there are any websites you are concerned about, particularly sites that you submit personal information to- don’t forget to check for the padlock. You can also use Symantec’s SSL Tools Certificate Checker, which will check whether a website is vulnerable to exploitation. This is also a good reminder about the importance of keeping the software that runs on your computer or mobile device up to date.