Serious vulnerability in SSL discovered

Share this article:
Security researchers at mobile phone authentication vendor PhoneFactor said they have discovered a serious vulnerability in Secure Sockets Layer (SSL) technology, a common security mechanism used to protect online communications.

SSL, the most common data security protocol on the internet, is used to encrypt online banking and commerce transactions, and to secure email and database access. The vulnerability, described as an SSL authentication gap, results from an underlying weakness in the SSL protocol standard, the researchers said. Because of the vulnerability, an attacker could launch a man-in-the-middle attack to intercept an SSL-protected session, then surreptitiously execute commands, according to PhoneFactor.

During the attack, both a web server and browser would have no idea the session had been hijacked, researchers said.

This vulnerability makes SSL-protected online banking sessions potentially susceptible to attack, they said. In addition, some back-office systems, mail and database servers could be susceptible.

The vulnerability will require all SSL libraries to be patched, said Steve Dispensa, PhoneFactor CTO. In addition, most client and server applications will need to include new SSL libraries in their products, and users will need to update any software that uses SSL.

The flaw was discovered in August by PhoneFactor's Marsh Ray and Steve Dispensa.

Since September, the pair have been working with a consortium of affected vendors and standard bodies to fix the vulnerability. The group has come to an agreement about how to repair the underlying issue with the SSL protocol standard and patch SSL libraries. In addition, the group has created a set of recommended methods for mitigating the vulnerability.

PhoneFactor's Ray and Dispensa initially volunteered to hold off on disclosing the vulnerability publicly until 2010 to give vendors time to make the necessary patches available. But on Wednesday, an independent researcher who had discovered the flaw posted details about it to an internet mailing list. News of the bug rapidly spread through the security community, prompting Ray and Dispensa to go public with their findings.

Share this article:

Sign up to our newsletters

More in News

BlackBerry acquires voice and data encryption firm Secusmart

On Tuesday it was announced that the phonemaker would purchase the voice and data encryption firm.

OTI report exposes economic costs of NSA spying

OTI report exposes economic costs of NSA spying

A report from New America OTI found that the NSA surveillance program has had a chilling effect on U.S. commerce and foreign policy.

Breach index: Encryption used in 23 percent of Q2 incidents

Breach index: Encryption used in 23 percent of ...

Out of the 237 disclosed data breaches last quarter, encryption was used in only 10 instances.