Computers and Web servers initiate secure conversations with one another in a process known as a “handshake.” But this week, security researchers discovered a flaw in the way they shake hands. The bug allows a hacker operating between you and a website — say, connected to the same public Wi-Fi network — to snoop in on your Internet session.
Here’s the good news: The handshake bug isn’t as devastating as Heartbleed. The only major browsers it affects are for Google’s Android mobile operating system. And for a hacker to exploit the bug, you and the website must both be running vulnerable versions of the encrypting software, known as OpenSSL.
But it’s yet another wake up call that your Internet security relies on a few volunteers. The OpenSSL Foundation is a tiny team of computer programmers that only recently started getting additional financial support from many companies that rely on this software. The Linux Foundation said OpenSSL has received about half of the $5.4 million that companies have donated so far to the Core Infrastructure Initiative, an effort to better secure the Internet.
In fact, many security researchers say the only reason we spotted the handshake bug is because, post-Heartbleed, more volunteers are combing through the OpenSSL computer code. The world can thank Masashi Kikuchi, a software security expert at the small Japanese consulting firm Lepidum who decided to look through the code himself.
“The biggest reason why the bug hasn’t been found for over 16 years is that code reviews were insufficient,” Kikuchi wrote in a blog post.
The bug has been fixed, and now it’s up to Web browser makers and website servers to update their systems. According to Adam Langley, a senior researcher at Google (GOOG), these Web browsers are safe:
- Internet Explorer
- Chrome (for desktop, iOS)
According to Qualys (QLYS) engineering director Ivan Ristic, these browsers are vulnerable:
- Chrome (for Android)
“We shouldn’t be surprised that there are more flaws in OpenSSL,” said Jean Taggart, a researcher at antivirus maker Malwarebytes. “Security is a process, not a product.”
And if you’re still worried about the handshake bug? Keep yourself clean. Don’t use strangers’ Wi-Fi.