Information Data Security Information Data Security / Items

More holes found in Web's SSL security protocol

Get Feed
More holes found in Web's SSL security protocol
Description

More holes found in Web's SSL security protocol

By Robert McMillan

IDG News Service - Security researchers have found some serious flaws in software that uses the SSL (Secure Sockets Layer) encryption protocol used to secure communications on the Internet.

At the Black Hat conference in Las Vegas on Thursday, researchers unveiled a number of attacks that could be used to compromise secure traffic travelling between Web sites and browsers.

This type of attack could let an attacker steal passwords, hijack an on-line banking session or even push out a Firefox browser update that contained malicious code, the researchers said.

The problems lie in the way that many browsers have implemented SSL, and also in the X.509 public key infrastructure system that is used to manage the digital certificates used by SSL to determine whether or not a Web site is trustworthy.

A security researcher calling himself Moxie Marlinspike showed a way of intercepting SSL traffic using what he calls a null-termination certificate. To make his attack work, Marlinspike must first get his software on a ...

Original URL
http://www.computerworld.com/s/article/9136074/More_holes_found_in_Web_s_SSL_security_protocol?taxonomyId=17

Comments

  • Public Comments

    • wunderbarb
      3 months ago


      Most of these attacks are an extension of the man in the middle attack designed by Sotirov beginning of this year. They used a known weakness of MD5 to sign forged certificates. Interestingly, the countermeasure was simply to refuse any MD5-signed certificate.

      At Black hat, they disclosed that the new EV certificates based sites could still be prone to this MD5 certificates. The idea was to start the session with EV certificates, and during the session switch to the forged MD5 certificates. Most browsers (if not all) accept this certificate switching.

      Not simple to solve. See the paper at http://www.blackhat.com/presentations/bh-usa-09/ZUSMAN/BHUSA09-Zusman-AttackExtSSL-PAPER.pdf
      Information Data Security
    Add a Comment
Report This

Twine is about discovering, collecting and sharing the content that interests you. Learn More

Join Twine

Stats

First Posted By

Nick

First Comment By

wunderbarb

Tags

Source Tags

Community Tags

Who's Interested In This?

Forgot your password?