Major SSL encryption flaw hits the web

Tech companies using SSL have some serious work to do to fix a big hole that could leave internet users at risk.

SSL secure

A major' vulnerability in SSL (Secure Sockets Layer) authentication has been discovered, potentially leaving web surfers under serious threat.

The authentication gap allows an attacker to perform a man-in-the-middle' attack, according to security researchers at PhoneFactor.

PhoneFactor claimed that most websites using SSL encryption were affected, including online banking and retail sites. Some mail and database servers were also vulnerable.

It also invalidated the SSL lock, which is used to verify whether website communications are secure.

Researchers Marsh Ray and Steve Dispensa are believed to have shown the flaw to a working group of affected vendors, which included Microsoft, Intel, Nokia, IBM, Cisco and Juniper.

In a statement, PhoneFactor said: "[We] volunteered to delay disclosure on the vulnerability until early 2010 to allow time for vendors to make the necessary patches available."

"However, an independent researcher discovered the vulnerability and posted it to Internet Engineering Task Force (IETF) mailing list on November 4th... News of the vulnerability quickly spread through the IT security community," it added.

PhoneFactor added that this was a protocol vulnerability rather than an implementation flaw, so the impact was far reaching.

"All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products," the firm said.

"Most users will eventually need to update any software that uses SSL."

Andrew Clarke, senior vice president for Lumension, said in a statement that the SSL flaw was likely to bring a large number of patches in the near term from vulnerable vendors.

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Apple patches zero-day flaw abused by infamous NSO exploit
exploits

Apple patches zero-day flaw abused by infamous NSO exploit

14 Sep 2021
Hackers develop Linux port of Cobalt Strike for new attacks
Security

Hackers develop Linux port of Cobalt Strike for new attacks

14 Sep 2021