• Today is : Nov 26, 2016 - 6:23 pm
  • Welcome to webhostingnews.in
0

OpenSSL Vulnerability Allows Forged Certificate Chains to be Accepted

Computer and Internet   Write Comment 11th July, 2015

School / University:

New Delhi - Delhi - (India)

Mobile: 9654785987

The OpenSSL Project team has disclosed more details about a new “high severity” OpenSSL vulnerability, which can result in an “alternative chains certificate forgery” that makes it possible for invalid certificates to appear trustworthy.

During certificate verification, OpenSSL will attempt to build a certificate chain. If the first attempt fails, OpenSSL attempts to find an alternative certificate chain. An error in the implementation of the alternative certificate chain logic could allow an attacker to cause certain checks on untrustworthy certificates to be bypassed. This means that forged certificates can be issued by a body other than a Certificate Authority and still appear trustworthy.


This issue is present in OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o, and will impact any application that verifies certificates including SSL, TLS, and DTLS clients and servers using client authentication.

OpenSSL 1.0.2b and 1.0.2c should be upgraded to 1.0.2d, and OpenSSL 1.0.1n and 1.0.1o users should upgrade to 1.0.1p.

This issue was reported to OpenSSL on June 24, 2015 by Adam Langley and David Benjamin from Google’s BoringSSL project, which also developed the fix.

OpenSSL is one of the most popular cryptographic libraries, and this vulnerability comes brings to mind the highly publicized Heartbleed bug, which also involved OpenSSL. Experts, however, have already said it isn’t as severe as Heartbleed.

Source:http://www.thewhir.com