<img src="https://secure.leadforensics.com/32105.png" style="display:none;">

New OpenSSL Bug Exposed

On the 10th of July a new bug was announced in the OpenSSL library. This is the library used by many websites and tools to manage TLS/SSL.

How does it Affect My1Login?

Before we go onto discuss the bug, how it works and what it does, it's important to say that it does not affect My1Login services or our customers.

What is it?

Unlike Heartbleed, which affected servers, this new bug mainly affects end-user products (such as web-browsers, VPN tools, etc.). It's potentially very serious in that it allows a website to present an invalid SSL certificate, but to have the end-user application treat it as though it were valid - so an SSL website can be easily impersonated. 


 Credit: GitHub

What do I need to do?

With regards to your My1Login account, nothing. It is not affected. With regards to general web usage, the actual reach of the new bug is limited as most of the major browsers do not use OpenSSL and are therefore not affected. Additionally, the bug has been caught quickly by OpenSSL. While it was present in pre-release code since January, the affected code has only been officially released by OpenSSL for the past month. Therefore very few applications are likely to have been released that contain it.

Google Chrome, Mozilla Firefox, IE and iOS all use Boring SSL and not OpenSSL. As a result if you use these browsers you are unnafected. Android uses both Boring SSL and OpenSSL, depending on the operating system version. However, individual apps on mobile devices typically use their own code for verifying certificates. This means any individual app could potentially be vulnerable. To mitigate this risk, as it may take several weeks for the fixes to be rolled out by all vendors, our advice is to rely on browsers that are not vulnerable to the bug over individual apps.

Further information can be obtained from OpenSSL themselves here.


Back to Blog

Related Articles

My1Login has been named a finalist for IAM in two Awards

My1Login has been named a finalist for its Identity and Access Management solution at both the Computing Security Awards and the Computing Security Excellence...

My1Login Named Top Performer in Identity & Access Management for Customer Success

My1Login have been named a Top Performer in FeaturedCustomers’ Spring 2022 Identity & Access Management Software Customer Success Report.FeaturedCustomers is a...

Join My1Login at DTX Manchester

  My1Login will be exhibiting at DTX Manchester on 27th and 28th April 2022. Also at the event, one of our customers, Liam Mahon, Director of Digital & Innovation...