Serious vulnerability in SSL discovered

Share this article:
Security researchers at mobile phone authentication vendor PhoneFactor said they have discovered a serious vulnerability in Secure Sockets Layer (SSL) technology, a common security mechanism used to protect online communications.

SSL, the most common data security protocol on the internet, is used to encrypt online banking and commerce transactions, and to secure email and database access. The vulnerability, described as an SSL authentication gap, results from an underlying weakness in the SSL protocol standard, the researchers said. Because of the vulnerability, an attacker could launch a man-in-the-middle attack to intercept an SSL-protected session, then surreptitiously execute commands, according to PhoneFactor.

During the attack, both a web server and browser would have no idea the session had been hijacked, researchers said.

This vulnerability makes SSL-protected online banking sessions potentially susceptible to attack, they said. In addition, some back-office systems, mail and database servers could be susceptible.

The vulnerability will require all SSL libraries to be patched, said Steve Dispensa, PhoneFactor CTO. In addition, most client and server applications will need to include new SSL libraries in their products, and users will need to update any software that uses SSL.

The flaw was discovered in August by PhoneFactor's Marsh Ray and Steve Dispensa.

Since September, the pair have been working with a consortium of affected vendors and standard bodies to fix the vulnerability. The group has come to an agreement about how to repair the underlying issue with the SSL protocol standard and patch SSL libraries. In addition, the group has created a set of recommended methods for mitigating the vulnerability.

PhoneFactor's Ray and Dispensa initially volunteered to hold off on disclosing the vulnerability publicly until 2010 to give vendors time to make the necessary patches available. But on Wednesday, an independent researcher who had discovered the flaw posted details about it to an internet mailing list. News of the bug rapidly spread through the security community, prompting Ray and Dispensa to go public with their findings.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.