Skip navigation
Product & Engineering

Duo Patches for the Latest OpenSSL Vulnerabilities

Oh boy. Another OpenSSL vuln. Looks like we'll have to update our timeline of severe SSL/TLS breaks over the past decade:

SSL/TLS Breach Timeline

The most severe of the handful of OpenSSL vulnerabilities patched in 1.0.1h can be exploited by a man-in-the-middle adversary to decrypt traffic between a vulnerable client and server.

For Duo customers, we started testing the patched OpenSSL version yesterday morning soon after the release of the advisory, started pushing out a patched build to production around 11am PST, and completed patching of all production infrastructure by 1pm PST.

These frequent violations of transport security are why we generally don't trust SSL/TLS and have designed our Duo Push technology to maintain integrity even when SSL/TLS is compromised. Back when the Heartbleed vulnerability occurred, I wrote a blog post covering just that:

Heartbleed Defense-in-Depth Part #2: Don't Trust SSL

We also recently posted a webinar on defense-in-depth with respect to SSL/TLS, if you're into that kind of thing:

Webinar Video: Protecting Against Heartbleed with Defense in Depth

Until next time! Which hopefully will not be soon or I'll have to start tracking a MTBOV (Mean Time Between OpenSSL Vulns) metric.