Another Week, Another OpenSSL Bug - All About CCS Injection

It seems to be almost a weekly occurrence these days that OpenSSL has a new critical bug that is going to take the web by storm if everyone doesn't update their servers immediately.

This weeks culprit is CCS Injection.

OpenSSL's "changecipherspec" has a vulnerability where if an attacker interrupts the cipher negotiation process with a vulnerable server intentionally, it can recover some sensitive information by forcing the clients to use weaker key strengths and ciphers.

This vulnerability primarily affects web servers that have to go through cipher negotiation.

Under normal conditions, the process of cipher negotiation is the first step of establishing an encrypted session with a server. Your client has a set of ciphers that it supports, and the server has a different set of ciphers that it supports. The negotiation process is designed to make sure that the strongest mutual match is used.

The attack involves a "man-in-the-middle" that intercepts the cipher lists during the negotiation process, and manipulates them so that the weakest cipher possible is used. This is so the attacker can then intercept the encrypted traffic and, if the encryption is weak enough, decrypt the private data and read the contents.

To harden against this kind of attack there are a few steps you can take.

1. Update your cipher order in your browser (how-to) so that it doesn't support weak ciphers at all.

2. Update OpenSSL on your servers.

3. Check the encryption that your browser is using when visiting sensitive sites. In Mozilla Firefox and Google Chrome, you do this by clicking on the lock to the left of "https" in your address bar. If your browser seems to be using something very unusual (something other than AES, RC4, or in Google's case sometimes Chacha20), stop the session immediately and do not log in to the service.

It is also important to note that this bug does not impact OpenVPN or VikingVPN's services. OpenVPN does not use the cipher negotiation process, and our website uses very hard ciphers exclusively, to the point where older browsers cannot even view our content. We chose high security over high compatibility (as we always do).

< last
next >