| By Robert Vamosi |
A hole discovered recently in Secure Sockets Layer (SSL) HTTP sessions is difficult to exploit but may necessitate a revision of the SSL protocol itself.
The big-name browser vendors are quietly working to patch the vulnerability before the bad guys figure out how to use it to crack secure Web connections.
Transport Layer Security protocol exploitable
Last August, while researching various applications used by two-factor authentication vendor PhoneFactor, researcher Marsh Ray discovered something odd in the way the SSL Transport Layer Security (TLS) protocol handled authentication renegotiation. Ray was able to write an exploit that would, under certain circumstances, allow a man-in-the-middle attack to eavesdrop on SSL sessions used for e-commerce and online banking.
The flaw allows the attacker to join an authenticated SSL session and execute commands. After Ray proved the exploit to his bosses, he chose not to go public and instead followed Dan Kaminsky’s example after he discovered a major DNS flaw in 2008. (WS contributing editor Ryan Russell described the DNS vulnerability in his July 17, 2008, Perimeter Scan column.)
Just as Kaminsky did last year, Ray quietly contacted the vendors most affected by the SSL/TLS flaw and worked in the background to implement a fix before the malware writers got word of it. In September, Google even hosted a meeting at its Mountain View, CA, campus that produced a tentative draft proposal for the Internet Engineering Task Force (IETF). Microsoft had hosted a similar meeting on the DNS flaw for Kaminsky last year.
On Nov. 4 — quite independently — another researcher, Martin Rex of SAP, went public on the IETF TLS mailing list with his discovery of flaws within channel bindings that also affect TLS. A lively and extended discussion ensued.