Crippling SSL vulnerability discovered

A serious security flaw has been discovered in the SSL protocol, commonly used to encrypt web pages in order to secure online transactions against eavesdropping or interception. The problem was originally discovered by security researchers Marsh Ray and Steve Dispensa at PhoneFactor, who originally planned to disclose it only next year. The delay was meant to give security vendors sufficient time to fix their products.

However, the same vulnerability was discovered by an independent security researcher, who promptly posted about it on an Internet Engineering Task Force mailing list. As you can imagine, that blew Pandora's Box wide open, prompting PhoneFactor to come forward with the details of its findings.

The vulnerability in SSL is particular crippling because it is a protocol weakness, and not the fault of a programmer who implemented a code library wrongly. In a nutshell, all encryption technology that relies on SSL is affected by the vulnerability, and is open to eventual exploitation. Basically, it is now possible for an attacker with the right tools to execute a man-in-the-middle attack to hijack a bona fide SSL session.

To underscore the severity, Steve Dispensa wrote in a statement: "All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products. Most users will eventually need to update any software that uses SSL."

You can check out their blog here for more information.

For more on this story:
- check out this article at InformationWeek

Related Articles:
Researchers poke holes in EV SSL
Researchers demonstrate more physical ways to spy on keystrokes
Just launched IE 8 successfully hacked
$10,000 cash prize for smartphone hacks