The maintainers of the OpenSSL cryptographic code library have fixed a high-severity SSL vulnerability that made it possible (under certain circumstances) for attackers to obtain the key that decrypts communications secured in HTTPS and other transport layer security channels.
Once an attacker has the key, they can play ‘man-in-the-middle’ and decrypt traffic which is supposed to be ‘secure’.
While it sounds like the potential impact is high with this particular SSL Vulnerability; in reality, the bug can only be exploited when a variety of conditions are met.
First, it’s present only in OpenSSL version 1.0.2. Applications that rely on it must use groups based on the digital signature algorithm to generate short-term keys based on the Diffie Hellman key exchange. By default, servers that do this will reuse the same private Diffie-Hellman exponent for the life of the server process (which can be hours or days, but may be as short a few minutes) and that makes them vulnerable to the key-recovery attack. DSA-based Diffie-Hellman configurations that rely on a static Diffie-Hellman ciphersuite are also susceptible.
A technical description of the vulnerability, known as CVE-2016-0701, can be found in this blog post published Thursday by Antonio Sanso, the Adobe Systems researcher who discovered and privately reported it. OpenSSL officials have additional details here. Among other things, the OpenSSL advisory warns that the fix may compromise performance.