Security researchers at mobile phone authentication vendor PhoneFactor said they have discovered a serious vulnerability in Secure Sockets Layer (SSL) technology, a common security mechanism used to protect online communications.
SSL, the most common data security protocol on the internet, is used to encrypt online banking and commerce transactions, and to secure email and database access. The vulnerability, described as an SSL authentication gap, results from an underlying weakness in the SSL protocol standard, the researchers said. Because of the vulnerability, an attacker could launch a man-in-the-middle attack to intercept an SSL-protected session, then surreptitiously execute commands, according to PhoneFactor.
During the attack, both a web server and browser would have no idea the session had been hijacked, researchers said.
This vulnerability makes SSL-protected online banking sessions potentially susceptible to attack, they said. In addition, some back-office systems, mail and database servers could be susceptible.
The vulnerability will require all SSL libraries to be patched, said Steve Dispensa, PhoneFactor CTO. In addition, most client and server applications will need to include new SSL libraries in their products, and users will need to update any software that uses SSL.
The flaw was discovered in August by PhoneFactor’s Marsh Ray and Steve Dispensa.
Since September, the pair have been working with a consortium of affected vendors and standard bodies to fix the vulnerability. The group has come to an agreement about how to repair the underlying issue with the SSL protocol standard and patch SSL libraries. In addition, the group has created a set of recommended methods for mitigating the vulnerability.
PhoneFactor’s Ray and Dispensa initially volunteered to hold off on disclosing the vulnerability publicly until 2010 to give vendors time to make the necessary patches available. But on Wednesday, an independent researcher who had discovered the flaw posted details about it to an internet mailing list. News of the bug rapidly spread through the security community, prompting Ray and Dispensa to go public with their findings.