SSL Web Security Protocol Compromised by Researchers

Ethernet connector

Two researchers with PhoneFactor, a company that offers two-factor authentication services, say that thay have uncovered a serious vulnerability in SSL (Secure Sockets Layer), a fundamental online security technology that’s widely used to safeguard ecommerce transactions and other sensitive data. The flaw, in theory, can enable attackers to insert themselves into a secured online transaction as a “man in the middle,” able to view all data moving back and forth between two parties—and alter the data stream and issue commands—on what the users believe is a secured connections.

The researchers, Marsh Ray and Steve Dispensa, found the error in August 2009 and reported it to a group of impacted vendors and standards committees without publicly disclosing the problem. PhoneFactor had planned to hold off on disclosing the vulnerability until early 2010 in order to give vendors time to patch their SSL software and deploy fixed versions to their customers, but another research discovered the bug independently and posted it to an IETF mailing list on November 4.

“Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching,” said PhoneFactor CTO Steve Dispensa, in a statement. “All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products. Most users will eventually need to update any software that uses SSL.”

SSL is widely used to secure transmissions for a variety of applications, from ecommerce and online banking, Web-based management of almost any sort of customer account, as well as non-Web applications like database servers, email, and enterprise systems.

The new vulnerability is not the first to hit SSL in recent months: at the Black Hat security conference in Las Vegas security researchers Mike Zusman and Alex Sotirov demonstrated a browser design flaw that enabled man-in-the-middle attacks on SSL connections. Other recent attacks on SSL have focused on clandestinely shifting traffic from SSL_protected https:// connections to unsecured http:// links.

Emerging Tech

Awesome Tech You Can’t Buy Yet: heat-powered watches, phone cases with reflexes

Check out our roundup of the best new crowdfunding projects and product announcements that hit the web this week. You may not be able to buy this stuff yet, but it sure is fun to gawk!
Smart Home

The best sous vide machines cook your food perfectly, every single time

Want to make four-star meals from the comforts of your own kitchen? Here are the best sous vide machines available right now, whether you prefer simple immersion circulators or something more complex.
Home Theater

Want to mirror your smartphone or tablet onto your TV? Here's how

A vast arsenal of devices exists to allow sending anything on your mobile device to your TV. Our in-depth guide shows you how to mirror content from your smartphone or tablet to the big screen from virtually any device available.
Mobile

Android vs. iOS: Which smartphone platform is the best?

If you’re trying to choose a new phone and you’re not sure about the merits and pitfalls of the leading smartphone operating systems, then come on in for a detailed breakdown as we pit Android vs. iOS in various categories.
Deals

From Chromebooks to MacBooks, here are the best laptop deals for January 2019

Whether you need a new laptop for school or work or you're just doing some post-holiday shopping, we've got you covered: These are the best laptop deals going right now, from discounted MacBooks to on-the-go gaming PCs.
Computing

Keep your laptop battery in tip-top condition with these handy tips

Learn how to care for your laptop's battery, how it works, and what you can do to make sure yours last for years and retains its charge. Check out our handy guide for valuable tips, no matter what type of laptop you have.
Product Review

LG Gram 14 proves 2-in-1 laptops don’t need to sacrifice battery for light weight

The LG Gram 14 2-in-1 aims to be very light for a laptop that converts to a tablet. And it is. But it doesn’t skimp on the battery, and so it lasts a very long time on a charge.
Computing

Protect your expensive new laptop with the best Macbook cases

If you recently picked up a new MacBook, you’ll want something to protect its gorgeous exterior. Here, we've gathered the best MacBook cases and covers, whether you're looking for style or protection.
Computing

Watch out for these top-10 mistakes people make when buying a laptop

Buying a new laptop is exciting, but you need to watch your footing. There are a number of pitfalls you need to avoid and we're here to help. Check out these top-10 laptop buying mistakes and how to avoid them.
Computing

Don't spend a fortune on a PC. These are the best laptops under $300

Buying a laptop needn't mean spending a fortune. If you're just looking to browse the internet, answer emails, and watch Netflix, you can pick up a great laptop at a great price. These are the best laptops under $300.
Computing

Dell XPS 13 vs. Asus Zenbook 13: In battle of champions, who will be the victor?

The ZenBook 13 UX333 continues Asus's tradition of offering great budget-oriented 13-inch laptop offerings. Does this affordable machine offer enough value to compete with the excellent Dell XPS 13?
Gaming

Take a trip to a new virtual world with one of these awesome HTC Vive games

So you’re considering an HTC Vive, but don't know which games to get? Our list of 25 of the best HTC Vive games will help you out, whether you're into rhythm-based gaming, interstellar dogfights, or something else entirely.
Computing

The Asus ZenBook 13 offers more value and performance than Apple's MacBook Air

The Asus ZenBook 13 UX333 is the latest in that company's excellent "budget" laptop line, and it looks and feels better than ever. How does it compare to Apple's latest MacBook Air?
Computing

AMD Radeon VII will support DLSS-like upscaling developed by Microsoft

AMD's Radeon VII has shown promise with early tests of an open DLSS-like technology developed by Microsoft called DirectML. It would provide similar upscale features, but none of the locks on hardware choice.