Oh boy. Another OpenSSL vuln. Looks like we'll have to update our timeline of severe SSL/TLS breaks over the past decade:
The most severe of the handful of OpenSSL vulnerabilities patched in 1.0.1h can be exploited by a man-in-the-middle adversary to decrypt traffic between a vulnerable client and server.
For Duo customers, we started testing the patched OpenSSL version yesterday morning soon after the release of the advisory, started pushing out a patched build to production around 11am PST, and completed patching of all production infrastructure by 1pm PST.
These frequent violations of transport security are why we generally don't trust SSL/TLS and have designed our Duo Push technology to maintain integrity even when SSL/TLS is compromised. Back when the Heartbleed vulnerability occurred, I wrote a blog post covering just that:
We also recently posted a webinar on defense-in-depth with respect to SSL/TLS, if you're into that kind of thing:
Until next time! Which hopefully will not be soon or I'll have to start tracking a MTBOV (Mean Time Between OpenSSL Vulns) metric.