English Deutsch Español Français Italiano Portuguese Čeština Ελληνικά 中文(简体) 中文 (繁體) Tiếng Việt 日本語 ภาษาไทย Русский Български Nederlands Polski Svenska Norsk Dansk Suomi

McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams

Compatible with Windows 7

Works with Windows Vista

SPAMfighter is

Microsoft Gold Certified Partner

Flaw in SSL Protocol Could Infect Secure Connections

Once again security vendors have been prompted to issue warnings, and this time it's due to a new vulnerability in the Secure Socket Layer (SSL) protocol detected by security firm 'PhoneFactor' based in Kansas (USA).

As per the reports, flaws in the SSL/TLS (Secure Socket Layer/ Transport Layer Security) protocol can be successfully exploited by criminals to embed content into secure connections. If this happens, it would severely affect HTTPS (Hypertext Transfer Protocol Secure) as well as various other protocols using TLS for security such as IMAP.

The exact impacts of this potential abuse have not been discussed in the reports. However, it would be possible to maneuver HTML content from websites during the transfer of data.

Chief technologist Steve Dispensa and researcher Marsh Ray at PhoneFactor have devised a way for injecting malicious code into secure data streams that by using a man-in-the-middle (MITM) assault that places the attacker in between data stream source and its target. It abuses a basic weakness in the SSL protocol that positions "s" in the "https://" which normally appears before secure Web URLs, as per the news published by Forbes on November 5, 2009.

This trick enables assailant to embed data into an encrypted traffic stream; however, it does not allow them to view the unencrypted contents of that traffic. So the core problem certainly remains the same that the developers of SSL/ TLS have faced quite a few times in past: the potential of MITM attacks by malicious servers, which can allow themselves as security authenticators.

PhoneFactor claims that the vulnerability exists in the SSL standard itself, indicating that all systems using the protocol could be highly exposed to such an attack. Considering the fact that online bank transactions around the world are currently covered just with SSL and as the attack technique is now widely exposed, the potential for global exploit has simply expanded.

According to security experts, server and network administrators will have to install a patch from operating system vendors; however, end users do not require installing any urgent updates.

» SPAMfighter News - 18-11-2009

Bookmark and Share
Twitter Facebook RSS

SPAMfighter box shot

SPAMfighter is a free spam filter for Outlook, Outlook Express,Windows Mail and Thunderbird

Optimize Slow PC

Optimize your Slow PC for better performance. Try FREE scan now

Exchange spam filter

SPAMfighter Exchange Module is a Spam filter for Exchange server - Free 30 days trial

 

Spyware remover

Remove Spyware with SPYWAREfighter - Free 30 days trial


anti virus

Antivirus software for your Windows PC - Free 30 days trial

<<<>>>