SSL, TLS vulnerable to publicly-disclosed attack

Stephen Withers
Friday, 06 November 2009 03:15

Business IT - Security

Although Rex's scenario was relatively specific, it had enough in common with PhoneFactor's discoveries to lead that company to go public.

All libraries and programs implementing SSL will need to be updated, and it seems that smartcard-based systems as well as the supposedly secure HTTPS connections between browsers and web servers are affected.

Until the problem is fixed, you won't be able to trust the little key in your browser that you thought meant nobody could eavesdrop on your Intenet banking session, for example.

The difficulty with such a fundamental issue is that it requires a co-ordinated response. If updated protocol documents are made public before the implementations are ready, the bad guys have a window of opportunity.

The same situation occurs if one or more developers provide updates before their peers are ready to do the same.

Furthermore, the whole point of a protocol is that standardises the way a particular task is performed. So if one end of the link is fixed and the other still insists on doing things the old way, it is possible that no improvement in security will be achieved.

It is understood that some widely used code has already been patched and testing is underway. But now that word is out, all developers will most likely be pressing ahead to complete the job as soon as possible.