Add to del.icio.us     Digg this

November 9, 2009

Internet security researchers say they've uncovered a critical security hole in the SSL (secure sockets layer) protocol that could allow potential attackers to inject malicious code into encrypted traffic passing between two endpoints.

The security vulnerability in the transport layer security protocol allows man-in-the-middle attackers to surreptitiously introduce malicious text at the beginning of an SSL session, said Marsh Ray, a security researcher who discovered the flaw.

A typical SSL transaction may be broken into multiple sessions, providing the attacker ample opportunity to introduce so-called password resets and other various commands into secure communications believed to be originally cryptographically authenticated but that are not.

Real-life attacks have been demonstrated against both the Apache and Microsoft IIS webservers communicating with a variety of client applications. A consortium of some of the world's biggest technology companies have been meeting since late September to hash out a new industry standard that will fix this critical security flaw.

A draft is largely expected to be submitted by Nov. 12 at the latest to the Internet Engineering Task Force.

Steve Dispensa, CTO of PhoneFactor, a provider of secure authentication services says "a core security guarantee made by TLS is violated as a result of this newly-discovered security hole. It's going to take a while for the protocol changes necessary to be rolled out, because every browser and every server in the world is going to have to be patched."

Ray and Dispensa added that the security vulnerability would most likely have to be exploited in concert with some other security weakness, say a flaw in a home router or the recent DNS bugs discovered by researcher Dan Kaminsky.

Still, an attacker would be unable to read encrypted data that flowed between a server and a client, but that still does not alleviate the problem in any way, since the security breach is one of gigantic proportions to the eCommerce industry and to companies such as Paypal, bank credit card processors, financial institutions that rely on the Web for the bulk of their transactions and others.

Moxie Marlinspike, a security researcher who has repeatedly exposed serious shortcomings in SSL in the past, said the attacks were hard to pull off in the real world, in large part because they appeared to target a rarely used technology known as client certificate authentication.

Nevertheless, Ray and Dispensa added that there are such attacks that don't rely at all on client authenticated certificates. They maintained that the ability of an attacker to inject plain text into an authenticated data stream represented a major threat of catastrophic proportions.

Get the best Linux or Windows Web hosting plan for your website.

And they added that the attacks also have special implications for so-called smartcards and other technologies that still rely on client authenticated certificates.

"It's rather clever, but to the best of my knowledge the common cases in which the majority of people use SSL (eCommerce, online banking, secure email service, etc.) are currently unaffected," he wrote in an email. "I haven't found these attacks to be very useful in practice, although this still doesn't give us the liberty to hide our heads in the sand either..."

"Overall, there is some consensus among the biggest security vendors in the world that it's a big problem and IT IS," Dispensa said.

Security developers from OpenSSL and GNU TLS have already developed many patches and are in the various process of testing. Other providers of hardware and software that implement SSL technology are also in various stages of patching security holes as well.

Dispensa and Ray presented their findings under a non-disclosure agreement to a large number of company representatives on September 29 in Mountain View, California, at a company they declined to name.

There's absolutely no doubt in the Internet security community that this issue is currently of the highest priority for now and a lot of recources have already been deployed in finding a permanent fix to the problem, both from a browser standpoint as well as patching all Apache and IIS servers in the world.

Add to del.icio.us     Digg this

Source: Phone Factor.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.