Emerging Threats

New vulnerability in OpenSSL could allow attackers to intercept secure communications

Authored by a Symantec employee


A new weakness in OpenSSL could allow attackers to hijack secure communications by tricking a targeted computer into accepting invalid and untrusted SSL certificates as valid certificates. This could help facilitate man-in-the-middle (MITM) attacks, where attackers eavesdrop on connections with secure websites such as online banking, ecommerce or email. This means that any data that a user sends to a website can be intercepted by the eavesdropping attacker- including user login credentials.

A security suite that helps protect your devices.

Free security software just doesn’t have the resources to keep up with new threats as they emerge. That’s why you need a multi-layered defense to security. Meet Norton Security Premium — protection for up to 10 of your devices.

The purpose of SSL certificates is to verify that the website is what it claims to be. They also signify secure, encrypted connections between users’ devices and legitimate websites. You can tell when encryption is enabled by making sure that a little green padlock appears in front of the web address of the website you are visiting.

For a deeper dive into how this technology works, you can check out “SSL Certificates: What Consumers Need to Know.

Unfortunately, bugs are commonly found in software these days. We have seen many different forms of this bug in the past. In April of 2014, the high profile bug Heartbleed, allowed attackers to intercept secure communications and steal sensitive user information such as login credentials, and personal data. In October of 2014, the POODLE vulnerability was discovered in an older version of SSL, & SSL 3.0. In early March of this year a vulnerability known as FREAK was discovered. FREAK could allow attackers to intercept and decrypt encrypted traffic via a MitM attack

How to stay safe

This new software bug will not directly affect most Norton customers. Any large websites that have this bug in it should be quick to act and apply the latest software update to fix the issue, so you really don’t have to worry.

If there are any websites you are concerned about, particularly sites that you submit personal information to- don’t forget to check for the padlock. You can also use Symantec’s SSL Tools Certificate Checker, which will check whether a website is vulnerable to exploitation. This is also a good reminder about the importance of keeping the software that runs on your computer or mobile device up to date.

Our best protection. One low price

Norton Security Premium helps protect up to 10 of your Windows PCs, Macs, Android smartphones or your iPads.

Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the LockMan Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome and Android are trademarks of Google, LLC. Mac, iPhone and iPad are trademarks of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced and/or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other company names and product names are registered trademarks or trademarks of each company.