Sony Brings the Bling with Swarovski Photoframe

SSL Web Security Protocol Compromised by Researchers

Ethernet connector

Two researchers with PhoneFactor say they've found a serious flaw with SSL security - the technology used to protect most online transactions.

Two researchers with PhoneFactor, a company that offers two-factor authentication services, say that thay have uncovered a serious vulnerability in SSL (Secure Sockets Layer), a fundamental online security technology that’s widely used to safeguard ecommerce transactions and other sensitive data. The flaw, in theory, can enable attackers to insert themselves into a secured online transaction as a “man in the middle,” able to view all data moving back and forth between two parties—and alter the data stream and issue commands—on what the users believe is a secured connections.

The researchers, Marsh Ray and Steve Dispensa, found the error in August 2009 and reported it to a group of impacted vendors and standards committees without publicly disclosing the problem. PhoneFactor had planned to hold off on disclosing the vulnerability until early 2010 in order to give vendors time to patch their SSL software and deploy fixed versions to their customers, but another research discovered the bug independently and posted it to an IETF mailing list on November 4.

“Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching,” said PhoneFactor CTO Steve Dispensa, in a statement. “All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products. Most users will eventually need to update any software that uses SSL.”

SSL is widely used to secure transmissions for a variety of applications, from ecommerce and online banking, Web-based management of almost any sort of customer account, as well as non-Web applications like database servers, email, and enterprise systems.

The new vulnerability is not the first to hit SSL in recent months: at the Black Hat security conference in Las Vegas security researchers Mike Zusman and Alex Sotirov demonstrated a browser design flaw that enabled man-in-the-middle attacks on SSL connections. Other recent attacks on SSL have focused on clandestinely shifting traffic from SSL_protected https:// connections to unsecured http:// links.

Related Posts

  • No Related Posts

Trackback URL: http://www.digitaltrends.com/computing/ssl-web-security-protocol-compromised-by-researchers/trackback/

  • Joseph A'Deo
    Agreed that this needs fixin', but at VeriSign we don't see this as "Earth shattering" (to use Tim Callan's words). The vulnerability will mostly be a development issue, and since there's no way credentials or sensitive info could get hijacked there's no need for consumers to be too concerned. Of course, the larger, more valid issue is that browsers are in constant need of updating where security is concerned...and one should always do their banking and shopping on robustly encrypted sites (for example, those that use extended validation ssl).
blog comments powered by Disqus

Join The Digital Trends Community

DT RSS Feed

Everyone wants to be an insider, and you can be one too! Choose your poison: sign-up for our Newsletter, join us on Facebook, or follow us on Twitter. Do all three and you'll be swimming in the the latest news, reviews, videos and more gadget goodness!

DT Newsletter Sign-Up

Sign-up for the Digital Trends newsletter and find out about the latest contests, the hottest content, and the most popular videos. Let us keep you up-to-date!

Our Facebook

Become a DT soldier! Join us on Facebook and share the best news, guides, videos and other cool information directly with all your friends. Some might even thank you for it!

Join the thousands and follow the best of us on Facebook.

Twitter Us

Do you like information in small snippets? Then our Twitter feed is just for you. Follow Digital Trends and you'll be able to catch up daily on our latest content, or even interact directly with our team. Tweet Tweet!

Join the thousands and follow the best of us on Twitter.

That’s Right, Sign-up For Our Monthly Random Prize Drawings and You Could Be That Winner.