Skip navigation

Duo Security is now a part of Cisco

Join us at the Cisco Partner Summit, Nov 13-15th in Las Vegas

Duo Patches for the Latest OpenSSL Vulnerabilities

Oh boy. Another OpenSSL vuln. Looks like we'll have to update our timeline of severe SSL/TLS breaks over the past decade:

SSL/TLS Breach Timeline

The most severe of the handful of OpenSSL vulnerabilities patched in 1.0.1h can be exploited by a man-in-the-middle adversary to decrypt traffic between a vulnerable client and server.

For Duo customers, we started testing the patched OpenSSL version yesterday morning soon after the release of the advisory, started pushing out a patched build to production around 11am PST, and completed patching of all production infrastructure by 1pm PST.

These frequent violations of transport security are why we generally don't trust SSL/TLS and have designed our Duo Push technology to maintain integrity even when SSL/TLS is compromised. Back when the Heartbleed vulnerability occurred, I wrote a blog post covering just that:

Heartbleed Defense-in-Depth Part #2: Don't Trust SSL

We also recently posted a webinar on defense-in-depth with respect to SSL/TLS, if you're into that kind of thing:

Webinar Video: Protecting Against Heartbleed with Defense in Depth

Until next time! Which hopefully will not be soon or I'll have to start tracking a MTBOV (Mean Time Between OpenSSL Vulns) metric.

Jon Oberheide

Jon Oberheide

CTO & Co-Founder

@jonoberheide

Jon is the co-founder and CTO of Duo Security, responsible for leading product vision and the Duo Labs advanced research team. Before starting Duo, Jon was a self-loathing academic, completing his PhD at the University of Michigan in the realm of cloud security. In a prior life, Jon enjoyed offensive security research and generally hacking the planet. Jon was recently named to Forbes "30 under 30" list for his mobile security hijinks.