SSL Web Security Protocol Compromised by Researchers

By Geoff Duncan November 5, 2009

Ethernet connector — Image used with permission by copyright holder

Two researchers with PhoneFactor, a company that offers two-factor authentication services, say that thay have uncovered a serious vulnerability in SSL (Secure Sockets Layer), a fundamental online security technology that’s widely used to safeguard ecommerce transactions and other sensitive data. The flaw, in theory, can enable attackers to insert themselves into a secured online transaction as a “man in the middle,” able to view all data moving back and forth between two parties—and alter the data stream and issue commands—on what the users believe is a secured connections.

The researchers, Marsh Ray and Steve Dispensa, found the error in August 2009 and reported it to a group of impacted vendors and standards committees without publicly disclosing the problem. PhoneFactor had planned to hold off on disclosing the vulnerability until early 2010 in order to give vendors time to patch their SSL software and deploy fixed versions to their customers, but another research discovered the bug independently and posted it to an IETF mailing list on November 4.

“Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching,” said PhoneFactor CTO Steve Dispensa, in a statement. “All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products. Most users will eventually need to update any software that uses SSL.”

SSL is widely used to secure transmissions for a variety of applications, from ecommerce and online banking, Web-based management of almost any sort of customer account, as well as non-Web applications like database servers, email, and enterprise systems.

The new vulnerability is not the first to hit SSL in recent months: at the Black Hat security conference in Las Vegas security researchers Mike Zusman and Alex Sotirov demonstrated a browser design flaw that enabled man-in-the-middle attacks on SSL connections. Other recent attacks on SSL have focused on clandestinely shifting traffic from SSL_protected https:// connections to unsecured http:// links.

Editors' Recommendations

Former Digital Trends Contributor

Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…

Computing

Scores of people are downgrading back to Windows 10

The screen of the Galaxy Book4 Ultra.

Microsoft continues to struggle with the adoption of Windows 11 among its users. Recent data from Statcounter reveals a notable decline in the operating system’s market share, specifically compared with Windows 10.

After reaching an all-time high of 28.16% in February 2024, Windows 11 has experienced a drop, falling below the 26% mark.

Computing

The ASUS ROG Ally handheld gaming PC has a nice discount today

Starfield running on the Asus ROG Ally.

If you love the power of gaming PCs and the portability of the Nintendo Switch, you should think about getting a handheld gaming PC like the Asus ROG Ally. If you're interested, it's currently on sale from Walmart with an $87 discount that pulls its price down to $400 from $487. It's a pretty popular device so we expect this offer to attract a lot of attention, which means it's probably not going to last long. If you want to get this handheld gaming PC for this cheap, you should proceed with the transaction immediately.

Why you should buy the Asus ROG Ally handheld gaming PC
It's the version of the Asus ROG Ally with the AMD Ryzen Z1 Extreme that's listed in our roundup of the best handheld gaming PCs, but the Asus ROG Ally Z1 is still a worthwhile purchase because it gives you a gaming PC that you can bring with you wherever you go. Unlike a gaming laptop that's still pretty bulky with its large screen and keyboard, the Asus ROG Ally takes on the form of a portable gaming console like the Nintendo Switch, but with Windows 11 pre-installed as a familiar operating system to navigate and launch the best PC games.

Computing

The HP Victus gaming PC with RTX 3060 has a $550 discount

The HP Victus 15L gaming PC in white.

Gamers don't need to spend more than $1,000 if they want to buy a new gaming PC because there are affordable options like the HP Victus 15L gaming desktop. From its original price of $1,400, you can get it for just $850 as HP has applied a $550 discount on this machine. However, you shouldn't delay your purchase because there's no assurance that the gaming PC will still be 39% off tomorrow. If you want to make sure that you get it for less than $1,000, you're going to have to complete the transaction for it within the day.

Why you should buy the HP Victus 15L gaming desktop
You shouldn't expect the HP Victus 15L gaming desktop to match the performance of the top-of-the-line models of the best gaming PCs, but it's surprisingly powerful for its cost. Inside it are the 13th-generation Intel Core i7 processor and the Nvidia GeForce RTX 3060 graphics card, with 16GB of RAM that our guide on how much RAM do you need says is the best place to start for gaming. It's enough to play today's best PC games without any issues, and it may even be capable of running the upcoming PC games of the next few years if you're willing to dial down the settings for the more demanding titles.