On Tuesday, the first day of RSA 2016, the OpenSSL project will released updates, specifically versions 1.0.2g, 1.0.1s. All that is known is that the organization ranks these with maximum severity “high”. According to the OpenSSL Policy, high means the patch will include issues that are of a lower risk than critical, perhaps due to affecting less common configurations, or which are less likely to be exploitable.
OpenSSL is used to encrypt communications between users and servers. Because it can be used by financial institutions and e-commerce sites, even embedded Internet of Things (IoT) devices, any vulnerability in the open-source implementation of the SSL and TLS protocols needs to be taken seriously.
SSL has come under attack recently from the research community. Last year’s FREAK vulnerability, which downgrades encryption to 512-bits, a more vulnerable version, allowing hackers to perform a man in the middle (MITM) attack on traffic passing between Android or Apple devices and potentially millions of websites.
In 2014, Heartbleed, co-discovered by Codenomicon (now Synopsys) and Google, was a vulnerability in the OpenSSL cryptography library, and allows anyone to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.
In response, the OpenSSL Project has become much more responsive. They have raised funds and now support their own staff to address issues as they come up.