RSS Alerts

Related Links

Related Stories

  • Mozilla moves swiftly to patch SSL loophole in Firefox
    Programmers with the Mozilla Foundation have moved rapidly to patch one of the two SSL security flaws in web browsers, such as Firefox, identified by researchers at the Black Hat security briefings in Las Vegas late last week.
  • Black Hat: Researchers reveal more flaws in secure sockets layer
    Researchers at the Black Hat security briefings in Las Vegas this week revealed a number of flaws that affect the secure sockets layer (SSL) system for secure internet web browsing.
  • More weaknesses in e-commerce and SSL-VPN connections revealed
    A report just published by Ben Chai - a director with Incoming Thought Limited and editor of the SecurityVibes portal - claims to show that a security flaw in the secure sockets layer (SSL) internet protocol has been used by criminals to circumvent supposed secure e-commerce website.
  • Nine lives - when malware becomes self-modifying
    As the Conficker (aka Downadup and Kido) worm proved when it first appeared in October 2008, there's more to a piece of malware code than meets the eye, especially when it is self-updating. But can self-updating also mean self-modifying? Steve Gold investigates whether an IT security manager's nightmare has become programming reality...
  • What’s in store for 2010?
    The Noughties are behind us now, but memories of a decade of data breaches will continue to haunt the infosec professional. If only there was a way of knowing what the threat landscape would look like in the months to come. Well you’re in luck as Davey Winder has dusted off the crystal ball and spoken to a broad church of infosec professionals to get some informed predictions for 2010

News

Browser developers scramble to fix major security flaw in SSL technology

05 November 2009

Reports are coming in that a major security flaw in the way secure sockets layer (SSL) technology renegotiated user sessions across the internet, with software developers reportedly scrambling to develop a fix for the issue they have known about for some weeks.

The SSL security problem relates to the way the SSL 3.0+ and TLS+ (transport layer security) operates when an SSL session is renegotiated for any reason, since the flaw appears to allow the insertion of a plain piece of text into the session process.

The unencoded piece of text could be used to trigger a man-in-the-middle hacker attack and, say various sources, this is where the major problem lies.

The possibility of man-in-the-middle attacks being triggered by SSL vulnerabilities was detailed by Peter Wood, an ISACA professional and chief of operations with First Base Technologies at the Infosecurity show back in April of this year.

At the time, Wood said that, under certain circumstances, it is even possible for a hacker to seize control of a supposed secure - and authenticated - IP session just as the user has entered their payment card data and other personal information.

Wood speculated that hackers may already be aware of what is a structural security flaw on the internet, bearing in mind a number of high profile hacks of e-commerce sites that use secure protocols to protect the interests of their customers.

That speculation now appears to have been correct, as Marsh Eay, an authentication software developer with PhoneFactor has posted details of what has been happening in recent weeks on his blog.

According to Ray, a number of interested parties, including members of ICASI and the IETF held a meeting in California at the end of September, at which an agreement on a "tentative solution" to the SSL security flaw was agreed upon and `Project Mogul' - a cross-party development project - has been in progress ever since.

Since then, the project has reportedly been given high importance in the internet software development community, with vendors whose products that use SSL and TLS technology working hard to develop workarounds.

The last few days, however, have seen the plans for Project Mogul being scuppered when a SAP engineer called Martin Rex stumbled across the SSL / TLS flaw all by himself and - apparently unaware of the potential serious nature of the flaw - posted his observations on the public section of the IETF's discussion list.

It was at this stage that PhoneFactor decided to report on the SSL security flaw in the firm's blog, since when newswires have been picked up on the problem.

The software vendor community, meanwhile, continues to develop workarounds and solutions to this potentially very major security problem in SSL.

 

This article is featured in:
Application Security Data Loss Encryption Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water