Tech companies using SSL have some serious work to do to fix a big hole that could leave internet users at risk.
A ‘major’ vulnerability in SSL (Secure Sockets Layer) authentication has been discovered, potentially leaving web surfers under serious threat.
The authentication gap allows an attacker to perform a ‘man-in-the-middle’ attack, according to security researchers at PhoneFactor.
It also invalidated the SSL lock, which is used to verify whether website communications are secure.
[Editor’s Note: At first glance, this story looks a lot like last September’s and last August’s stories of SSL vulnerabilities. In fact, this is far worse. It is not our purpose to make your life harder by forcing you to know how often SSL encryption is used in your life. Suffice to say, this is not going to get handled by a simple patch a week later Firefox or Apple. And now, even worse, is that it is in the open…the bad guys know where to attack.
How does it affect you as the above average user? First off: Everything that you learned about trusting the little lock on the browser window is no longer valid.
- Make certain that your employees are extra vigilant with all computers, and with all USB sticks. We don’t know how the BlackHats are going to exploit this yet.
- Don’t download anything that doesn’t come directly from someone that you know.
- Don’t trust any email that says that “We are helping you, just click here.”
- Don’t trust any email with a link where the link isn’t showing and where the section of the address immediately before any slashes isn’t .com or .org or .co.uk. For example, http://www.ebay.com.hacker.ru shouldn’t make you feel comfortable that it came from ebay.com – the end of the URL (Uniform Resourse Locator) just before the / is the controlling item.
- And, of course, right now —
- a) make certaint that your back up system is working, and it makes several iterations of the back-up, and
- b) make certain that your virus software is up to date, and
- c) make certain that all wifi signals are using WPA2 security with a password that doesn’t have any dictionary word, and
- d) systematically reformat the USB sticks that are being used to take keys to your Digital Cinema Servers.
- If you have a computer network in your office, hire a security expert to come and train your employees on security for an hour or two, in addition to checking our your network for vulnerabilities and un-updated software (including Flash/Shockwave, Reader, Firefox and all virus software. They’ve all been updated recently for multiple security reasons.)
- Wait one week, then have the expert return and answer any questions that the employees now have since they learned what to look for.
For the ultra techs, here is the links for the basic research on this:
MITM attack on delayed TLS-client auth through renegotiation
End Editor Note]
For the original article, please read:
Major SSL encryption flaw hits the web | IT PRO
By Asavin Wattanajantra, 6 Nov 2009 at 15:53
Researchers Marsh Ray and Steve Dispensa are believed to have shown the flaw to a working group of affected vendors, which included Microsoft, Intel, Nokia, IBM, Cisco and Juniper.
In a statement, PhoneFactor said: “[We] volunteered to delay disclosure on the vulnerability until early 2010 to allow time for vendors to make the necessary patches available.”
“However, an independent researcher discovered the vulnerability and posted it to Internet Engineering Task Force (IETF) mailing list on November 4th… News of the vulnerability quickly spread through the IT security community,” it added.
PhoneFactor added that this was a protocol vulnerability rather than an implementation flaw, so the impact was far reaching.
“All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products,” the firm said.
“Most users will eventually need to update any software that uses SSL.”
Andrew Clarke, senior vice president for Lumension, said in a statement that the SSL flaw was likely to bring a large number of patches in the near term from vulnerable vendors.