Skip to main content
  1. Home
  2. Computing
  3. News

SSL Web Security Protocol Compromised by Researchers

Geoff Duncan
By
Ethernet connector
Image used with permission by copyright holder

Two researchers with PhoneFactor, a company that offers two-factor authentication services, say that thay have uncovered a serious vulnerability in SSL (Secure Sockets Layer), a fundamental online security technology that’s widely used to safeguard ecommerce transactions and other sensitive data. The flaw, in theory, can enable attackers to insert themselves into a secured online transaction as a “man in the middle,” able to view all data moving back and forth between two parties—and alter the data stream and issue commands—on what the users believe is a secured connections.

The researchers, Marsh Ray and Steve Dispensa, found the error in August 2009 and reported it to a group of impacted vendors and standards committees without publicly disclosing the problem. PhoneFactor had planned to hold off on disclosing the vulnerability until early 2010 in order to give vendors time to patch their SSL software and deploy fixed versions to their customers, but another research discovered the bug independently and posted it to an IETF mailing list on November 4.

Recommended Videos

“Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching,” said PhoneFactor CTO Steve Dispensa, in a statement. “All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products. Most users will eventually need to update any software that uses SSL.”

Related

SSL is widely used to secure transmissions for a variety of applications, from ecommerce and online banking, Web-based management of almost any sort of customer account, as well as non-Web applications like database servers, email, and enterprise systems.

The new vulnerability is not the first to hit SSL in recent months: at the Black Hat security conference in Las Vegas security researchers Mike Zusman and Alex Sotirov demonstrated a browser design flaw that enabled man-in-the-middle attacks on SSL connections. Other recent attacks on SSL have focused on clandestinely shifting traffic from SSL_protected https:// connections to unsecured http:// links.

Editors' Recommendations

Geoff Duncan
Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
I finally found a gaming laptop utility that’s actually worth using
The Asus ROG Zephyrus G16 sitting on a coffee table.

Nearly all gaming laptops come with bundled first-party software, and most of it isn't all that good. They tend to be poorly designed and riddled with bloatware and features that you'll never need. Armoury Crate is Asus' version of that, and while it isn't terrible, it suffers from many of those same problems.

A large number of users on Reddit have voiced their criticism of Armoury Crate, accusing it of being buggy, broken, and overly complex. Some of the most common issues include the software's cluttered user interface, promotional pop-ups, unnecessary bloatware, and the high usage of system resources. In my experience, I do find Armoury Crate's UI to be confusing, and I've also noticed that the software runs way too many background processes and services, some of which seem unnecessary.

Read more
How to delete Slack messages on desktop and mobile
how to delete slack messages message confirm mac desktop

If your company uses Slack as its preferred communication tool, then you'll need to know the basics of navigating it. And one action you might want to know how to take in Slack is deleting a message. You can remove a direct message or one you post in a channel using any of the Slack desktop, web, and mobile applications.

For those times when you type a message in the wrong channel or conversation or simply say something you wish you hadn’t, here’s how to delete Slack messages.

Read more
How to download a video from Facebook
An elderly person holding a phone.

Facebook is a great place for sharing photos, videos, and other media with friends and family. But what if you’d like to download a video to store offline? This means you’d be able to watch the clip on your PC or mobile device, without needing to be connected to the internet. Fortunately, there’s a way to download Facebook videos to your everyday gadgets, although it’s not as straightforward a process as it could be.

Read more