Handshake bug – Heartbleed hack continues

Published: Tue, 10 Jun 2014 by Rad

Computers and Web servers initiate secure conversations with one another in a process known as a handshake. But this week, security researchers discovered a flaw in the way they shake hands. The bug allows a hacker operating between you and a website - say, connected to the same public Wi-Fi network to snoop in on your Internet session.

Here's the good news: The handshake bug isn't as devastating as Heartbleed. The only major browsers it affects are for Google's Android mobile operating system. And for a hacker to exploit the bug, you and the website must both be running vulnerable versions of the encrypting software, known as OpenSSL.

The bug affects all client versions of OpenSSL and servers on version 1.0.1 or 1.0.2-beta1, though it is recommended to update earlier versions as a precaution. The biggest problem is that we don't really know how many of our applications are using this security package, as this information is not normally disclosed. That said, Adam Langley, a security engineer from Google, confirmed that desktop browsers such as "IE, Firefox, Chrome on Desktop and iOS, Safari, etc." are not vulnerable, as they don't use OpenSSL.

The biggest reason why the bug hasn't been found for over 16 years is that code reviews were insufficient.

Masashi Kikuchi

But it's yet another wake up call that your Internet security relies on a few volunteers. The OpenSSL Foundation is a tiny team of computer programmers that only recently started getting additional financial support from many companies that rely on this software.

Many security researchers say the only reason we spotted the handshake bug is because, post-Heartbleed, more volunteers are combing through the OpenSSL computer code.

The world can thank Masashi Kikuchi, a software security expert at the small Japanese consulting firm Lepidum who decided to look through the code himself.

Resources and related articles

Our previous news stories