Wednesday, March 18, 2015

OpenSSL to be patched Thursday 2015-03-19

If you haven't heard the recent security news yet, be forewarned that newly-discovered flaws in the OpenSSL encryption library are due to be patched tomorrow, March 19. Some of the weaknesses have been classified with a "high" severity.

The OpenSSL libraries provide encryption services to protect online communications such as e-mail, file transfers, and most importantly, secure web sites. The libraries implement the (outdated) Secure Sockets Layer (SSL) and its replacement the Transport Layer Security (TLS) protocols. If you see a padlock and "https://..." in your web browser's address bar then SSL/TLS is at work. A major segment of the global internet depends on OpenSSL to maintain data privacy and secure confidential information such as banking and credit card data, transactions related to healthcare and government services, and other personally identifiable information that can be used to commit identity theft and other fraud.

Recently, the PCI Security Standards Council announced the upcoming release of the Payment Card Industry Data Security Standard (PCI DSS) version 3.1. The main reason for this update to the standards is to remove the older SSL protocol from lists that provide examples of strong cryptography. SSL no longer meets that definition based on recommendations by the U.S. National Institute for Standards and Technology, known as NIST.

For a good discussion of this news, please see Brian Krebs's blog, Krebs on Security. His post today, OpenSSL Patch to Plug Severe Security Holes, provides more background and explains the importance of putting these patches into place as soon as possible.

1 comment:

  1. We upgraded all of our systems that were running SSL to TLS v1.2 last year. It was a pain but we got it done.