Security Researchers Uncover SSL Vulnerability

Researchers have discovered a hole in the secure sockets layer (SSL) protocol, enabling man-in-the-middle attackers to hack into secure applications despite traffic encryption.

According to security researcher Chris Paget, hackers can exploit this flaw by breaking into shared hosting environments, mail servers and databases, and inserting text into encrypted traffic as it passes between two end users. This could lead to fragmentation of SSL transactions, giving hackers the opportunity to inject false commands such as password resets into communications which are otherwise encrypted.

“An attacker who has the ability to inject a single arbitrary-length request into a stream of SQL [structured query language] queries and responses would be devastating,” said Paget in a blog post. “Your implementation of SSL can be completely compliant with the protocol, completely immune to code-level vulnerabilities, completely fine at managing its keys, and using ciphers that are completely unbroken, and you are still vulnerable.”

SSL vulnerabilities have been forced into the spotlight since January, when security researchers successfully created a rogue certificate authority by using a colliding certificates attack, in order to demonstrate the need to constatly update security defenses. In August researchers also uncovered several new attacks on the infrastructure of SSL’s digital certificates, which attempted to compromise SSL traffic. However, the latest flaw is buried in the protocol itself, posing a much more serious threat.

According to PhoneFactor software developers Marsh Ray and Steve Dispensa, who uncovered the flaw, some of the world’s biggest technology companies are now making moves to establish a new industry standard that will overcome the vulnerability. Developers from OpenSSL and GnuTLS have already developed patches, and are currently in the process of testing them.

“A meeting was held at a helpful company’s headquarters in Mountain View, CA on September 29, where tentative agreement was reached on a preliminary solution in the form of a protocol extension,” Ray said in a public statement.

Despite the potentially devastating consequences of an attack on on the SSL protocol, several commentators have pointed out such an attempt to exploit the vulnerability would be very difficult to carry out in the real world.

“A man-in-the-middle attack on the internet requires some other weakness to be exploited (in addition to this one) for the bad man to actually get ‘in the middle’ of your network traffic,” Ray told eWEEK Europe. “It’s probably not going to be noticeable for the vast majority of Internet users, although it is still critical that they apply the fixes as they become available from their respective vendors.”

Security researcher Moxie Marlinspike also told the Register “It’s clever, but to my knowledge the common cases in which the majority of people use SSL (webmail, online banking, etc.) are currently unaffected… I haven’t found these attacks to be very useful in practice.”

Sophie Curtis

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

2 days ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

2 days ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

2 days ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

3 days ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

3 days ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

3 days ago