Severe ssl bug has been patched and does little damage
A bug in OpenSSL allowed an attacker to generate fake SSL certificates using a legitimate SSL certificate. The impact of the bug is relatively limited: a small number of OpenSSL versions are affected and no browser is susceptible.
Unlike the infamous Heartbleed bug, for example, the impact of the new security vulnerability announced earlier this week is limited. Thus, no major web browsers are affected, thus security researcher Filippo Valsorda. It only concerns servers that run the most recent OpenSSL version.
The problem, where fake SSL certificates can be issued, meets for example, servers that use OpenSSL for checking certificates and VPN servers. However, only four recent OpenSSL versions have been affected: 1.0.2b, 1.0.2c, 1.0.1n, and 1.0.1o users should update. Users of older versions were not vulnerable. The new version has been in circulation for about a month; Ubuntu and Red Hat use older OpenSSL versions and so are not susceptible.
The vulnerability allowed an attacker to serve fake SSL certificates. This was because systems did not properly check the ‘chain of trust’ of SSL certificates in certain cases. As a result, an attacker could generate a false certificate using a normal SSL certificate. Normally such certificates should not be accepted, but due to the flaw in OpenSSL this was not noticed. The SSL certificate had to be manipulated for this.
As a result, a so-called leaf certificate was enough to issue a certificate for Google.com, for example. Leaf certificates are certificates that end users purchase for, for example, encrypting a website; they are not intended to be used to issue certificates themselves.
Employees of BoringSSL, Google’s fork of OpenSSL, discovered the bug. That project also made a patch, which is now available. It is not yet known whether this means that the bug is also in BoringSSL; that project does not inherit all changes in OpenSSL by default. It is also unclear whether LibreSSL, another fork of OpenSSL that the OpenBSD project is working on, is or was also vulnerable.