A new security hole has been discovered in the SSL protocol
November 9, 2009
Internet security researchers say they've uncovered a critical security hole in the SSL (secure sockets layer) protocol that could allow potential attackers to inject malicious code into encrypted traffic passing between two endpoints.
The security vulnerability in the transport layer security protocol allows man-in-the-middle attackers to surreptitiously introduce malicious text at the beginning of an SSL session, said Marsh Ray, a security researcher who discovered the flaw.
A typical SSL transaction may be broken into multiple sessions, providing the attacker ample opportunity to introduce so-called password resets and other various commands into secure communications believed to be originally cryptographically authenticated but that are not.
Real-life attacks have been demonstrated against both the Apache and Microsoft IIS webservers communicating with a variety of client applications. A consortium of some of the world's biggest technology companies have been meeting since late September to hash out a new industry standard that will fix this critical security flaw.
A draft is largely expected to be submitted by Nov. 12 at the latest to the Internet Engineering Task Force.
Steve Dispensa, CTO of PhoneFactor, a provider of secure authentication services says "a core security guarantee made by TLS is violated as a result of this newly-discovered security hole. It's going to take a while for the protocol changes necessary to be rolled out, because every browser and every server in the world is going to have to be patched."
Ray and Dispensa added that the security vulnerability would most likely have to be exploited in concert with some other security weakness, say a flaw in a home router or the recent DNS bugs discovered by researcher Dan Kaminsky.
Still, an attacker would be unable to read encrypted data that flowed between a server and a client, but that still does not alleviate the problem in any way, since the security breach is one of gigantic proportions to the eCommerce industry and to companies such as Paypal, bank credit card processors, financial institutions that rely on the Web for the bulk of their transactions and others.
Moxie Marlinspike, a security researcher who has repeatedly exposed serious shortcomings in SSL in the past, said the attacks were hard to pull off in the real world, in large part because they appeared to target a rarely used technology known as client certificate authentication.
Nevertheless, Ray and Dispensa added that there are such attacks that don't rely at all on client authenticated certificates. They maintained that the ability of an attacker to inject plain text into an authenticated data stream represented a major threat of catastrophic proportions.
Get the best Linux or Windows Web hosting plan for your website.
And they added that the attacks also have special implications for so-called smartcards and other technologies that still rely on client authenticated certificates.
"It's rather clever, but to the best of my knowledge the common cases in which the majority of people use SSL (eCommerce, online banking, secure email service, etc.) are currently unaffected," he wrote in an email. "I haven't found these attacks to be very useful in practice, although this still doesn't give us the liberty to hide our heads in the sand either..."
"Overall, there is some consensus among the biggest security vendors in the world that it's a big problem and IT IS," Dispensa said.
Security developers from OpenSSL and GNU TLS have already developed many patches and are in the various process of testing. Other providers of hardware and software that implement SSL technology are also in various stages of patching security holes as well.
Dispensa and Ray presented their findings under a non-disclosure agreement to a large number of company representatives on September 29 in Mountain View, California, at a company they declined to name.
There's absolutely no doubt in the Internet security community that this issue is currently of the highest priority for now and a lot of recources have already been deployed in finding a permanent fix to the problem, both from a browser standpoint as well as patching all Apache and IIS servers in the world.
Source: Phone Factor.
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing