Open SSL Flaw Invites Forgery
Some implementations of RSA cryptography have a loophole. This has made "Secure Socket Layer" (SSL) and other cryptography toolkits vulnerable to signatures forged by hackers. This would allow them to forge websites and mislead SSL clients.
The first report of the loophole came from 'Open SSL', a well-known SSL client used by various websites to host them on the Internet. The loophole also exists in Linux distributor 'Fedora' that also uses 'Open SSL' in its famous distribution - 'Fedora Core 5'. Daniel Bleichenbacher of Bell Labs found this flaw, and security researchers apprehend more flaws in the future.
Thomas Ptacek of 'Matasano Security' said that there was concern in some hardware-pushed appliances being susceptible to the attack. The enterprise involvement is possibly even bad than the browser involvement because many enterprises rely on 'SSL client certificates' to legalize their applications, while "SSL VPNs" are the chief supports for an enterprise.
The flaw does not affect some browsers like Internet Explorer, Mozilla Firefox, and Apple Safari. Said Window Snyder, head of security operations in Mozilla that they are taking the matter seriously and also investigating their code base.
Currently the greatest worry is that a hacker can take advantage of the flaw in swindling websites. The presence of the flaw means that miscreants are able to produce forged SSL certificates for any website, run them into a Web server and deceive browsers into accepting them, said Ptacek. This type of attack is somewhat different as it is possible to execute it off line. An individual can establish a shop and sell fake certificates like car stereos stolen from somewhere. All it requires is the knowledge of configuring a 'Web server'.
An independent researcher, Dan Kaminsky has compared this off line forgery with a "photo ID card" that contains a hologram, which confirms the person and the photograph. The forgery of the photo ID card is executed by disconnecting the "hologram" and "photo" and instead let the 'bug' work. The hacker can do a similar thing with digital signatures.
If an external element is inserted into a cryptographic algorithm, undesirable things can happen, adds Kaminsky.
Related article: Obama, Palin Topped in Election Related Spam
» SPAMfighter News - 20-09-2006