A major flaw has been found in the SSL protocol (Secure Sockets Layer - used for the padlock you see when conducting a credit card or other sensitive transaction on-line). See the article in Dark Reading: Major SSL Flaw Find Prompts Protocol Update.
"The bug results in a set of related attacks that allow a man-in-the-middle to do bad things to your SSL/TLS connection. The [attacker] in the middle is able to inject his own chosen text into what your application believes is an encrypted, secure communications channel," says Ray, a senior software development engineer for PhoneFactor. "This has implications for all protocols that run on top of SSL/TLS, such as HTTPS."
Dan Kaminsky, director of penetration testing for IOActive, says he doesn't think the flaw is limited to just injecting traffic. "HTTPS content will leak because of this bug," Kaminsky says. "Never underestimate the usefulness of a subtle cryptographic vulnerability. Nobody would say, 'Well, it's just an iceberg, and we're heading right for it, but it's not like it's cut a huge gash in the ship yet.'"
SSL has been under siege during the past year, with the groundbreaking man-in-the-middle hack by researcher Moxie Marlinspike, which dupes a user into thinking he's in an HTTPS session when in reality he has been taken elsewhere by the attacker, as well as Kaminsky's research exposing critical flaws in X.509 certificate technology used in SSL.
Patches may be available shortly and more detail on the flaw will be unveiled at the Internet Engineering Task Force (IETF) meeting in Hiroshima next week. SSL is used everywhere: it's going to be patch city on the Internet for some time.
SSL is vital to on-line shopping so I guess we should be happy a fix is underway just in time for Christmas.
I've written about SSL security issues in the past, most recently in my October 12, 2009 post "DNSSEC is needed to make SSL and email certificates trustworthy and usable". This is a big bug, along the lines of Dan Kaminsky's discovery of the DNS flaw in 2008. It will be interesting to see if this patch is a complete solution or a partial solution like the patch to DNS.
This problem is another indication of how little we know about our lack of information security.
Comments