Another ‘Oh Shit’ Moment in Cryptography

I no longer actively track ongoings in the crypto-land but I ran into this bad boy when I visited Kim's blog for the Open Specification Promise news (superb news btw).

The vulnerability involves two parts: sloppy code (OpenSSL and possibly others) and weak certs issued by some CAs. Fixed code should detect forged signatures. Updating the certs should make it impractical to forge digital signatures to look as if they were signed by those certs.

If you use OpenSSL (very likely if you write cross-platform software that uses cryptography), read it. If you another libary to validate digital signature, check with library developers to see if you need to update. If you are a non-tech, lookout for updates of software you use (i.e. Firefox which maybe affected).

Needless to say, this is pretty bad.