New vulnerability in OpenSSL could allow attackers to intercept secure communications
Authored by a Symantec employee
A new weakness in OpenSSL could allow attackers to hijack secure communications by tricking a targeted computer into accepting invalid and untrusted SSL certificates as valid certificates. This could help facilitate man-in-the-middle (MITM) attacks, where attackers eavesdrop on connections with secure websites such as online banking, ecommerce or email. This means that any data that a user sends to a website can be intercepted by the eavesdropping attacker- including user login credentials.
A security suite that helps protect your devices.
Free security software just doesn’t have the resources to keep up with new threats as they emerge. That’s why you need a multi-layered defense to security. Meet Norton Security Premium - protection for up to 10 of your devices.
In just a few clicks, you can take a trial of Norton Security Premium – free for 30 days.
No Credit Card Required
The purpose of SSL certificates is to verify that the website is what it claims to be. They also signify secure, encrypted connections between users’ devices and legitimate websites. You can tell when encryption is enabled by making sure that a little green padlock appears in front of the web address of the website you are visiting.
For a deeper dive into how this technology works, you can check out “SSL Certificates: What Consumers Need to Know.”
Unfortunately, bugs are commonly found in software these days. We have seen many different forms of this bug in the past. In April of 2014, the high profile bug Heartbleed, allowed attackers to intercept secure communications and steal sensitive user information such as login credentials, and personal data. In October of 2014, the POODLE vulnerability was discovered in an older version of SSL, & SSL 3.0. In early March of this year a vulnerability known as FREAK was discovered. FREAK could allow attackers to intercept and decrypt encrypted traffic via a MitM attack
How to stay safe
This new software bug will not directly affect most Norton customers. Any large websites that have this bug in it should be quick to act and apply the latest software update to fix the issue, so you really don’t have to worry.
If there are any websites you are concerned about, particularly sites that you submit personal information to- don’t forget to check for the padlock. You can also use Symantec’s SSL Tools Certificate Checker, which will check whether a website is vulnerable to exploitation. This is also a good reminder about the importance of keeping the software that runs on your computer or mobile device up to date.
Our best protection. One low price
Norton Security Premium helps protect up to 10 of your Windows PCs, Macs, Android smartphones or your iPads.
With our no-risk offer, you can try before you buy – free for 30 days.
No Credit Card Required
Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.
© 2018 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the Lockman Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome is a trademark of Google, Inc. Mac, iPhone