PhotoIn the Internet world, programmers use a software library called OpenSSL to create applications designed to run in a highly secure environment, with protections against eavesdropping.

It has proved highly popular and is now used on most web servers and websites.

But a team of international researchers reports it might not be as secure as it seems.

Dr. Yuval Yarom, Research Associate at the University of Adelaide's School of Computer Science, says he and colleagues Daniel Genkin, of Tel Aviv University, and Dr. Nadia Heninger, of the University of Pennsylvania, have discovered that OpenSSL is vulnerable to what is known as a "side channel attack."

That attack enables a hacker to intercept vital information about software by getting a peek at the inner workings of a computer system – things like tiny changes in power usage, or observing changes in timing when different software is being used.


Yarom says it is even possible for a hacker to "listen in" to the workings of the OpenSSL encryption software. The team reached this conclusion by monitoring highly sensitive changes in the computer's timing – down to less than one nanosecond.

That enabled them to recover the private key which OpenSSL uses to identify the user or the computer.

"In the wrong hands, the private key can be used to 'break' the encryption and impersonate the user," Yarom said in a statement. "At this stage we have only found this vulnerability in computers with Intel's 'Sandy Bridge' processors. Computers with other Intel processors may not be affected in the same way."

OpenSSL currently encrypts a range of applications on most types of computers and is similar to the encryption packages used by the Google Chrome (BoringSSL) and Firefox (Mozilla's Network Security Service (NSS) browsers.

What to do

Should you be concerned? Concerned, maybe, but not alarmed. Yarom believes the likelihood of a hacker successfully deploying this weapon is slim.

"We seem to be the first to have done it, and under controlled conditions,” he said. "Servers, particularly Cloud servers, are a more likely target for this side-channel attack. It's less likely that someone would use it against a home computer.”

That doesn't mean your computer at home is safe. Yaron says there are just many other much easier-to-exploit vulnerabilities in home computers that it's unlikely someone would try to exploit the OpenSSL vulnerability in the real world. Unlikely, but not impossible.

"With OpenSSL being the most commonly used cryptographic software in the world right now, it's important for us to stay vigilant against any possible attack, no matter how small its chances might be,” he said.

Meanwhile, the research team has been working with the developers of OpenSSL to fix the vulnerability.

Share your Comments