The maintainers of Ruby have fixed a serious flaw in its SSL client that could have allowed an attacker to conduct man-in-the-middle attacks by spoofing an SSL server.
The vulnerability lies in the OpenSSL toolkit that’s built in to Ruby and is present in several versions of the software from 1.8 through 2.0. An attacker exploiting the flaw could impersonate a trusted SSL server and intercept protected traffic intended for that server. The Ruby maintainers have released patches for the bug.
“A vulnerability in Ruby’s SSL client that could allow man-in-the-middle attackers to spoof SSL servers via valid certificate issued by a trusted certification authority,” the Ruby advisory says. “When a CA a SSL client trusts allows to issue the server certificate that has null byte in subjectAltName, remote attackers can obtain the certificate for ‘www.ruby-lang.org.example.com’ from the CA to spoof ‘www.ruby-lang.org’ and do man-in-the-middle between Ruby’s SSL client and SSL servers.”
Most Commented Posts
2020 Cybersecurity Landscape: 100+ Experts’ Predictions
Cyber Security Predictions 2021: Experts’ Responses
Experts’ Responses: Cyber Security Predictions 2023
Celebrating Data Privacy Day – 28th January 2023
Data Privacy Protection Day (Thursday 28th) – Experts Comments
Most Active Commenters
Meta’s fine over data privacy breaches underscores the critical challenges…
Hi, Thanks, that is really useful information. I do have…
“This is a very worrying attack that hit T-Mobile and…
“This latest cyberattack against T-Mobile may be smaller than previous…
“Genesis Market is a complex global criminal access marketplace. Buyers…