The official website for the widely used OpenSSL code library was compromised four days ago in an incident that is stoking concerns among some security professionals.
Code repositories remained untouched in the December 29 hack, and the only outward sign of a breach was a defacement left on the OpenSSL.org home page. The compromise IS nonetheless rattling some nerves. In a brief advisory last updated on New Year’s Day, officials said “the attack was made via hypervisor through the hosting provider and not via any vulnerability in the OS configuration.” The lack of additional details raised the question of whether the same weakness may have been exploited to target other sites that use the same service. After all, saying a compromise was achieved through a hypervisor vulnerability in the Web host of one of the Internet’s most important sites isn’t necessarily comforting news if the service or hypervisor platform is widely used by others.
Fortunately, the attackers didn’t, or weren’t able to, use their access to slip backdoor code into the OpenSSL software, which websites around the world use to provide HTTPS encryption for the pages they serve. That assurance is possible because the code is maintained and distributed through Git, a source-code management system that allows developers and users to maintain independent copies all over the Internet. Since the cryptographic hashes found on OpenSSL matched those elsewhere, there is a high degree of confidence the code hasn’t been altered.
via Ars Technica http://feeds.arstechnica.com/~r/arstechnica/index/~3/KJYnbNU_kzU/