More holes found in Web's SSL security protocol

More holes found in Web's SSL security protocol
More holes found in Web's SSL security protocol 

By Robert McMillan
July 30, 2009 
IDG News Service

Security researchers have found some serious flaws in software that uses 
the SSL (Secure Sockets Layer) encryption protocol used to secure 
communications on the Internet.

At the Black Hat conference in Las Vegas on Thursday, researchers 
unveiled a number of attacks that could be used to compromise secure 
traffic travelling between Web sites and browsers.

This type of attack could let an attacker steal passwords, hijack an 
on-line banking session or even push out a Firefox browser update that 
contained malicious code, the researchers said.

The problems lie in the way that many browsers have implemented SSL, and 
also in the X.509 public key infrastructure system that is used to 
manage the digital certificates used by SSL to determine whether or not 
a Web site is trustworthy.

A security researcher calling himself Moxie Marlinspike showed a way of 
intercepting SSL traffic using what he calls a null-termination 
certificate. To make his attack work, Marlinspike must first get his 
software on a local area network. Once installed, it spots SSL traffic 
and presents his null-termination certificate in order to intercept 
communications between the client and the server. This type of 
man-in-the-middle attack is undetectable, he said.


Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods