Some of the world's leading websites—including those owned or operated by Bank of America, VMware, the US Department of Veteran's Affairs, and business consultancy Accenture—are vulnerable to simple attacks that bypass the transport layer security encryption designed to thwart eavesdroppers and spoofers.
The newspaper Süddeutsche Zeitung reports that the German spy agency BND will spend €28 million on what it calls its 'Strategic Technical Initiative' (SIT) next year, and that it has asked the German government for a further €300 million (original in German). The German edition of the English-language site "The Local" explains how the money will be used:
The aim of the programme is to penetrate foreign social networks and create an early warning system for cyber attacks.
Microsoft has released a Fix It to disable the feature which was the subject of the POODLE attack. The Fix It, a program which implements changes in the registry, makes the process simpler than the alternatives.
POODLE is the name given to a vulnerability in SSL version 3.0 found earlier this month by a Google researcher. SSL was supplanted by TLS and the current version is 1.2, but systems may fall back to older versions if the server does not support the newer ones.
Security advisories for OpenSSL should not be used for competitive advantage, according to the development project behind the widely used cryptography component.
The warning comes from the OpenSSL Project, which has published for the first time guidelines for how it internally handles security problems, part of an ongoing effort to strengthen the project following the Heartbleed security scare in April.
The first "preview" release of OpenSSL alternative LibreSSL is out, and already a researcher says he has found a "catastrophic failure" in the version for Linux.