{"id":5773,"date":"2014-06-16T12:14:08","date_gmt":"2014-06-16T16:14:08","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=5773"},"modified":"2014-06-16T12:14:08","modified_gmt":"2014-06-16T16:14:08","slug":"popular-websites-still-vulnerable-to-openssl-hijacking-attack","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/16\/popular-websites-still-vulnerable-to-openssl-hijacking-attack\/","title":{"rendered":"Popular websites still vulnerable to OpenSSL hijacking attack"},"content":{"rendered":"<p style=\"text-align:center;\"><a href=\"http:\/\/www.pcworld.com\/article\/2364080\/popular-https-sites-still-vulnerable-to-openssl-connection-hijacking-attack.html\"><img data-recalc-dims=\"1\" src=\"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2014\/06\/hacker_internet_web_attack_580-100033460-gallery.jpg\" alt='' \/><\/a><\/p>\n<p>Popular websites still vulnerable to OpenSSL hijacking attack<\/p>\n<p>Some of the Internet\u2019s most visited websites that encrypt data with the SSL protocol are still susceptible to a recently announced vulnerability that could allow attackers to intercept and decrypt connections.<\/p>\n<p>On June 5, developers of the widely used OpenSSL crypto library released emergency security patches to address several vulnerabilities, including one tracked as CVE-2014-0224 that could allow attackers to spy on encrypted connections if certain conditions are met.<\/p>\n<p>Until a few years ago, full-session encryption via HTTPS (HTTP with SSL) was mainly used by financial, e-commerce, and other sites dealing with sensitive information. However, the increasing use of mobile devices that often connect over insecure wireless networks, coupled with the past year\u2019s revelations of upstream bulk data collection by spy agencies, led to a large number of sites adding support for it.<\/p>\n<p>OpenSSL is the most popular cryptographic library for implementing SSL\/TLS support on Web servers.<\/p>\n<p>In order to exploit CVE-2014-0224 to decrypt and modify SSL traffic, attackers would need to have a \u201cman-in-the-middle\u201d position between a client and a server that both use OpenSSL. Furthermore, the server would need to run an OpenSSL version from the 1.0.1 branch.<\/p>\n<p>According to scans performed Thursday by Ivan Ristic, who runs the SSL Labs at security vendor Qualys, about 14 percent of sites monitored by the SSL Pulse project run a version of OpenSSL that allows exploiting the CVE-2014-0224 flaw.<\/p>\n<p>The SSL Pulse project monitors the strength of SSL implementations on HTTPS-enabled sites from the list of top 1 million most visited sites as published by Internet statistics firm Alexa\u2014154,406 sites as of June 2nd.<\/p>\n<p>An additional 36 percent of websites from the SSL Pule data set run OpenSSL versions from the 0.9.x or 1.0.0 branches that also contain the flaw, but against which the exploit known so far doesn\u2019t work.<\/p>\n<p>Those servers should be upgraded too because it\u2019s possible that there are other yet-to-be-discovered ways to exploit the problem, Ristic said in a blog post Friday.<\/p>\n<p>The patching rate for CVE-2014-0224 does not appear to be as high as the one for Heartbleed, a more serious vulnerability revealed at the beginning of April that also affected OpenSSL clients and servers.<\/p>\n<p>\u201cThe good news is that most browsers don\u2019t rely on OpenSSL, which means that most browser users won\u2019t be affected,\u201d Ristic said. \u201cHowever, Android browsers do use OpenSSL and are vulnerable to this attack. Additionally, many command-line and similar programmatic tools use OpenSSL. A particularly interesting target will be various VPN products, provided they are based on OpenSSL (like, for example, OpenVPN).\u201d<\/p>\n<p>Website administrators who want to check if their servers are vulnerable to CVE-2014-0224 can use a free online testing tool developed by Qualys SSL Labs.<\/p>\n<p>via <a href=\"http:\/\/www.pcworld.com\/article\/2364080\/popular-https-sites-still-vulnerable-to-openssl-connection-hijacking-attack.html\" target=\"_blank\">Popular websites still vulnerable to OpenSSL hijacking attack | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Popular websites still vulnerable to OpenSSL hijacking attack Some of the Internet\u2019s most visited websites that encrypt data with the [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7,9],"tags":[325,450,533,950,1195],"class_list":["post-5773","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-encryption","tag-hack","tag-internet","tag-security-2","tag-web-sites"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-1v7","jetpack-related-posts":[{"id":5681,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/03\/meet-cupid-the-heartbleed-attack-that-spawns-evil-wi-fi-networks\/","url_meta":{"origin":5773,"position":0},"title":"Meet \u201cCupid,\u201d the Heartbleed attack that spawns \u201cevil\u201d Wi-Fi networks","author":"NCCT","date":"June 3, 2014","format":false,"excerpt":"Enlarge \/ A packet capture showing Cupid attacking a wireless network. SysValue \u00a0 \u00a0 It just got easier to exploit the catastrophic Heartbleed vulnerability against wireless networks and the devices that connect to them thanks to the release last week of open source code that streamlines the process of plucking\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/cdn.arstechnica.net\/wp-content\/uploads\/2014\/06\/heartbleed_cupid_img1-640x356.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/cdn.arstechnica.net\/wp-content\/uploads\/2014\/06\/heartbleed_cupid_img1-640x356.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/cdn.arstechnica.net\/wp-content\/uploads\/2014\/06\/heartbleed_cupid_img1-640x356.png?resize=525%2C300 1.5x"},"classes":[]},{"id":7112,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/12\/10\/researchers-say-poodle-can-be-repurposed-to-attack-tls-10-percent-of-the-servers-vulnerable\/","url_meta":{"origin":5773,"position":1},"title":"Researchers say Poodle can be repurposed to attack TLS, 10 percent of the servers vulnerable","author":"NCCT","date":"December 10, 2014","format":false,"excerpt":"A couple of months after researchers at Google uncovered POODLE (Padding Oracle On Downgraded Legacy Encryption), a vulnerability in a specific version of the SSL protocol, security firm Qualys has announced that the issue also affects implementations of the TLS protocol. Poodle allows attackers to compromise the secure connection between\u2026","rel":"","context":"In &quot;Networking&quot;","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5852,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/27\/running-wordpress-got-webshot-enabled-turn-it-off-or-youre-toast\/","url_meta":{"origin":5773,"position":2},"title":"Running WordPress? Got webshot enabled? Turn it off or you\u2019re toast","author":"NCCT","date":"June 27, 2014","format":false,"excerpt":"A zero-day vulnerability in the popular TimThumb plugin for WordPress leaves many websites vulnerable to exploits that allow unauthorized attackers to execute malicious code, security researchers have warned. The vulnerability, which was disclosed Tuesday on the Full Disclosure mailing list, affects WordPress sites that have TimThumb installed with the webshot\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7570,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/05\/malicious-advertisements-on-major-sites-compromised-many-many-pcs\/","url_meta":{"origin":5773,"position":3},"title":"Malicious advertisements on major sites compromised many, many PCs","author":"NCCT","date":"February 5, 2015","format":false,"excerpt":"Attackers who have slipped malicious advertisements onto major websites over the last month have potentially compromised large numbers of computers. Several security vendors have documented attacks involving malicious advertisements, which automatically redirect victims to other websites or pages that silently attack their computer and install malware. \u201cWe certainly see malvertising\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6634,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/10\/15\/google-discovers-vulnerability-in-ssl-3-0-dubbed-poodle\/","url_meta":{"origin":5773,"position":4},"title":"Google discovers vulnerability in SSL 3.0 dubbed &#8216;Poodle&#8217;","author":"NCCT","date":"October 15, 2014","format":false,"excerpt":"Google has published details of a vulnerability in the design of SSL version 3.0. The attack, referred to as POODLE (Padding Oracle On Downgraded Legacy Encryption), allows the plaintext of secure connections to be calculated by a network attacker according to a Google blog post on the matter. Despite the\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8135,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/04\/27\/just-released-wordpress-0day-makes-it-easy-to-hijack-millions-of-websites-updated\/","url_meta":{"origin":5773,"position":5},"title":"Just-released WordPress 0day makes it easy to hijack millions of websites [Updated]","author":"NCCT","date":"April 27, 2015","format":false,"excerpt":"Our blog was not affected...NCCT Update: About two hours after this post went live, WordPress released a critical security update that fixes the 0day vulnerability described below. The WordPress content management system used by millions of websites is vulnerable to two newly discovered threats that allow attackers to take full\u2026","rel":"","context":"In &quot;Security&quot;","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/img.youtube.com\/vi\/OCqQZJZ1Ie4\/0.jpg?resize=350%2C200","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5773","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=5773"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5773\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=5773"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=5773"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=5773"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}