Last week six new OpenSSL vulnerabilities were disclosed to the public. These exploits were quickly patched, but Heartbleed has left users wary about the safety of the OpenSSL.
Just how severe are these new vulnerabilities?
Listen to episode 153 of our security slice podcast and hear Craig Young and Tyler Reguly discuss why none of these vulnerabilities are as serious as Heartbleed, why sensationalism in the security industry makes it difficult to gauge the impact of new vulnerabilities, and why these new disclosures should increase your confidence in OpenSSL.
Also, check out this handy Detection Script for CVE-2014-0224 (the OpenSSL CCS Injection) – it is designed to recognize when an SSL server does not actively reject an early CCS message. This behavior is indicative of whether an OpenSSL library has been patched to enforce the proper message order.
The script is designed for detection of vulnerable servers in a wide range of configurations. It attempts to negotiate using each affected protocol version (SSLv3, TLSv1, TLSv1.1, and TLSv1.2) advertising a comprehensive set of ciphers.
Click Here to Listen to the Podcast
- Security Slice: Are Retailers Cybercrime Victims or Cybersecurity Laggards?
- Security Slice: Spies vs. Spies
- Security Slice: Heartbleed’s Cupid
- Security Slice: Hindering Utility Hacks
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock