After the notorious Heartbleed vulnerability was found, researchers and programmers worldwide are turning their heads to the OpenSSL encryption library source code. The numerous close examinations conducted by specialists in the field, revealed that OpenSSL is far from perfect and that there are more unexpected weak points to be discovered in the future. The first one to come after Heartbleed is the new SSL/TLS vulnerability.
In essence, this is a typical man-in-the-middle attack, where the attacker is able to intercept and decrypt information exchanged between the client and the server. The attacker can also modify or inject his own traffic. This vulnerability is exploited by using a carefully crafted handshake, which in turn can force the use of weak keying material, thus enabling the attack. The vulnerability affects servers running OpenSSL 1.0.1 and 1.0.2-beta1. Users of earlier versions of the OpenSSL library are not vulnerable to this type of man-in-the-middle attack, but are advised to upgrade as a precaution. What raises concern is that clients are vulnerable in all versions of OpenSSL, but the attack can be performed only between a vulnerable client and server. Although the attacker must be in a man-in-the-middle position, this can be easily achieved when an untrusted network is used.
We at Vistnet, would like to inform our clients that the version of OpenSSL we have been using on our servers has been 0.9.8y, which is not vulnerable to this exploit as a server. As our service interacts both as server and client with our customers, we have upgraded to 1.0.1h that is not vulnerable either as a server, nor as a client. Communication between our servers and clients has been secure and no customer information was ever exposed. However, communication between us and those of our clients, whose backends have been running any of the vulnerable versions of OpenSSL, has been exposed and susceptible to attacks. We strongly advise all of our clients to upgrade their OpenSSL libraries to the newest corresponding version.
The imperfections of the OpenSSL source code have led us to the conclusion that there may be many more vulnerabilities to be found in the future. As we always like to be on the safe side, we have designed our infrastructure in such a way that implementation of patches and upgrades can be done as soon as possible. OpenSSL has been updated throughout all of our points of presence in mere minutes after the SSL/TLS vulnerability was publicly announced. We strive to present our customers with the best service, this is why we spare no expense in maintaining a safe, up-to-date infrastructure.