OpenSSL, the open source cryptography project, has disclosed another security bug that could theoretically decrypt private data from HTTPS-protected websites.
OpenSSL, the open source encryption toolkit that made headlines in 2014 for the Heartbleed security bug, has been hit by another serious vulnerability. This time, however, the real-world damage seems minimal.
The project disclosed the bug, which results from a new method for generating numbers used for key exchanges, on Jan. 28. It assigned the bug a high severity level, presumably since the flaw could be exploited in order to decrypt data that is encrypted using OpenSSL, the protocol widely used for encrypting information transmitted to and from HTTPS-protected websites.
A fix was available at the time the bug was disclosed. Servers that have upgraded to the latest version of OpenSSL will not be affected.
Nor will most other servers, it seems, even if they run the OpenSSL version in which the flaw exists. That's because, according to the OpenSSL project, "it is believed that many popular applications" are configured in a way that does not make them vulnerable.
In addition, the websites most likely to be affected are ones that use a security method called forward secrecy. Forward secrecy is most often deployed only by large, professionally managed sites. Those sites tend to patch security vulnerabilities quickly; most of them have probably already updated to a newer version of OpenSSL.
So this time, it appears, an OpenSSL bug that could theoretically pose a major privacy and security threat for data exchanged with websites won't have much of a real-world impact. That's good news for the open source community, which doesn't need another security embarrassment like Heartbleed -- and which shouldn't have one given the new investment in OpenSSL security that the Linux Foundation's Core Infrastructure Initiative made in OpenSSL security in 2014.