By Robert McMillan
July 30, 2009
IDG News Service
Security researchers have found some serious flaws in software that uses
the SSL (Secure Sockets Layer) encryption protocol used to secure
communications on the Internet.
At the Black Hat conference in Las Vegas on Thursday, researchers
unveiled a number of attacks that could be used to compromise secure
traffic travelling between Web sites and browsers.
This type of attack could let an attacker steal passwords, hijack an
on-line banking session or even push out a Firefox browser update that
contained malicious code, the researchers said.
The problems lie in the way that many browsers have implemented SSL, and
also in the X.509 public key infrastructure system that is used to
manage the digital certificates used by SSL to determine whether or not
a Web site is trustworthy.
A security researcher calling himself Moxie Marlinspike showed a way of
intercepting SSL traffic using what he calls a null-termination
certificate. To make his attack work, Marlinspike must first get his
software on a local area network. Once installed, it spots SSL traffic
and presents his null-termination certificate in order to intercept
communications between the client and the server. This type of
man-in-the-middle attack is undetectable, he said.
Subscribe to InfoSec News