Big Business' SSL Problem
Published: 05 Nov 2009 20:59:34 PSTBURLINGAME, Calif. -- Secure browsing has taken another major hit, this time from a security outfit called PhoneFactor located in Overland Park, Kan.
PhoneFactor researcher Marsh Ray and chief technologist Steve Dispensa have devised a way to inject malicious code into secure data streams using a man-in-the-middle attack that positions the assailant between a data stream's source and its target. It exploits a fundamental weakness in the Secure Sockets Layer, or SSL, protocol that puts the "s" in the "https://" that appears before secure Web URLs.
The trick allows an attacker to inject data into an encrypted traffic stream, but does not allow the attacker to see the unencrypted contents of that traffic. So, rather than opening doors for an attacker, it's more like allowing someone to follow another person into a room.
PhoneFactor says it discovered the flaw in August, but the word spread after another researcher independently discovered the issue and posted it to a public mailing list. Now industry heavyweights like VeriSign ( VRSN - news - people ) are scrambling to fix the flaw.
The good news, says VeriSign SSL expert Tim Callan, is that this is a problem for companies, not consumers. "We don't believe this is something that the public at large needs to be worried about," Callan says. "The people who need to be cognizant of this are the ones running big Web sites."
More good news: It's patchable. Companies like Microsoft ( MSFT - news - people ) are constantly working on patches to fix vulnerabilities, and this particular bug will likely be stomped out soon. Immediate solutions are available but likely need to be tested before they get deployed.
While independent security researchers like Moxie Marlinspike have called the Internet's trust systems into question, this flaw is very specific. Businesses running large Web sites have good cause to be concerned, but Callan says regular Internet users don't need to panic.
"It's not an attack that is ever directed as an end consumer. It's not an attack that steals your credit card or bank login," Callan says. "It's essentially the equivalent of another network security hole."
If you believe an article violates your rights or the rights of others, please contact us.
Digg
Reddit
Mixx it
FacebookRelated News
Most Read
- 1UPDATE 3-Google PC will start in seven seconds
- 2China Coal-Spot prices up, plant stocks
- 3IBM's Cat-Brain Breakthrough
- 4Hunting For Holiday HDTV Deals
- 5Reuters Summit-FBR's Miller sees problems for
- 6China Mobile eager to list on the mainland
- 7Alibaba.com brings global marketplace to life
- 8Dress Up Your Online Store for the Holidays
- 9Domain names with Chinese characteristics
- 10INTERVIEW-Vestas to announce big wind turbine
