Vulnerability Alerts
SANS
 
Microsoft
 
CERT/CC
 
 
 
Latest Comments
"I too have been a labor voter for many years and will not be voting for them again. The ..."
on Net filter legislation to go public by March
by maxt | Feb 9, 2010 7:56 PM
 
"I’ve just had a user receive a rehashed version of this with an attached html file containing a ..."
on ATO struck by new phishing scam
by Owen Lutz | Feb 9, 2010 6:01 PM
 
"hi"
on Chinese hacker school shut down
by manish kumar | Feb 9, 2010 4:27 PM
 
"Hey 'hey con-roy' ... from Google Australia's head of policy Iarla Flynn"We don't believe that ..."
on Conroy meets with Google for YouTube filtering
by Keep it real | Feb 9, 2010 3:33 PM
 
"@penno Off-site storage is a good solution unless you have some decent backup software to ..."
on Opinion: My holiday tip - backup your data now
by Charmgene | Feb 9, 2010 2:36 PM
Application Flaws

Serious vulnerability in SSL discovered

  • Email a Friend
  • Print Page
Related Articles
By Angela Moscaritolo
Nov 6, 2009 11:25 AM
Tags: vulnerability | SSL | Secure | Sockets | Layer | attack | man | in | the | middle
Attacker could intercept an SSL-protected session.

Security researchers at mobile phone authentication vendor PhoneFactor said they have discovered a serious vulnerability in Secure Sockets Layer (SSL) technology, a common security mechanism used to protect online communications.

SSL, the most common data security protocol on the internet, is used to encrypt online banking and commerce transactions, and to secure email and database access. The vulnerability, described as an SSL authentication gap, results from an underlying weakness in the SSL protocol standard, the researchers said. Because of the vulnerability, an attacker could launch a man-in-the-middle attack to intercept an SSL-protected session, then surreptitiously execute commands, according to PhoneFactor.

During the attack, both a web server and browser would have no idea the session had been hijacked, researchers said.

This vulnerability makes SSL-protected online banking sessions potentially susceptible to attack, they said. In addition, some back-office systems, mail and database servers could be susceptible.

The vulnerability will require all SSL libraries to be patched, said PhoneFactor CTO Steve Dispensa. In addition, most client and server applications will need to include new SSL libraries in their products, and users will need to update any software that uses SSL.

The flaw was discovered in August by PhoneFactor's Marsh Ray and Steve Dispensa.

Since September, the pair have been working with a consortium of affected vendors and standard bodies to fix the vulnerability. The group has come to an agreement about how to repair the underlying issue with the SSL protocol standard and patch SSL libraries. In addition, the group has created a set of recommended methods for mitigating the vulnerability.

PhoneFactor's Ray and Dispensa initially volunteered to hold off on disclosing the vulnerability publicly until 2010 to give vendors time to make the necessary patches available. But on Wednesday, an independent researcher who had discovered the flaw posted details about it to an internet mailing list. News of the bug rapidly spread through the security community, prompting Ray and Dispensa to go public with their findings.

See original article on scmagazineus.com

Secure Computing Magazine

 
Ads by Google
Thoughts on this article? Add a comment below.
Be the first to comment on this article.

Report this comment as offensive:

   * Indicates information we require to process your submission.

Name: *
Email: *
Reason for offense: *
Your report will not be displayed.  
Name:
*
 
Email:
(will not be displayed)
*
 
Comment:
(HTML not permitted)
*
 
Validation
*

Enter the code you see below:

 

 
 
 
 
 
 
Vulnerabilities & Exploits Whitepapers
 
Popular Tags
acrobat adobe against attack attacks browser cyber devices exploit explorer flaw google hack ie internet malware microsoft patch security vulnerability