SSL Protocol Vulnerability Fixed

Engineers have recently released a patch to plug a potentially dangerous security flaw in the "Secure Sockets Layer" (SSL) protocol that safeguards web transactions, e-mail as well as other online traffic of sensitive nature.

The flaw has reportedly shaken the industry. This is because it has been found to enable a hacker to penetrate into the authenticated SSL communications and then issue commands. The problem becomes worse because when the attack begins, both the Web-browser and the server remain unaware about their session compromise.

Moreover, the flaw emanates from a shortfall in the SSL protocol standard named Transport Layer Security. As such, a majority of SSL executions is prone to attack in some form or the other. The affected operations include Internet users performing online banking, implementation of non-HTTP software like database servers, e-mail servers etc., and back-office systems utilizing protocols based on web services.

The SSL protocol vulnerability is the discovery of researchers 'Steve Dispensa' and 'Marsh Ray' at PhoneFactor. It (the flaw) can help in executing man-in-the-middle attacks and expose companies and consumers to unlimited malicious attacks.

Notably from the time when vulnerability became public during November 2009, several application manufacturers have deactivated their software's renegotiation feature. This implies that those programs actually didn't comply with RFCs' official specifications for regulating SSL. Meanwhile, the upgraded SSL protocol, which retrieves renegotiation abilities, keeps SSL sessions safe. Consequently, a fix is provided.

Steve Dispensa, Chief Technology Officer at PhoneFactor, said that with the finalization of the standard, people would currently be required to upgrade their implementations. They would have to strictly follow the standard for proper functioning, as reported by The Register on January 8, 2010.

After the flaw was disclosed, a lot of people regarded it as peculiar, describing it to hardly have any effect. The reason they gave was that it was capable of being exploited only in a few circumstances. But then a graduate student in Turkey has recently launched an attack against Twitter, which seriously targets an SSL protocol vulnerability discovered lately.

Related article: SoCal Computer Hack Traces to Watsonville

» SPAMfighter News - 1/19/2010