Secure Sockets Layer (SSL) vulnerable to man-in-the-middle hacks
Posted on | November 12, 2009 | add a comment
Marsh Ray and Steve Dispensa, researchers at authentication services vendor PhoneFactor, recently discovered a gaping security hole in Secure Socket Layer, or SSL. This technology, along with the newer Transport Layer Security, or TLS, gets used widely to secure online retail transactions. A similar SSL vulnerability was discovered by researcher H.D. Moore, of Metasploit fame, in May 2008.
Both discoveries were of the good-guy variety — no one knows whether cyber crooks have knowledge of these SSL flaws and/or have begun to exploit them, and, if so, to what extent.
Ray and Dispensa say the SSL vulnerability they discovered affects the majority of SSL-protected servers on the Internet and could allow an attacker to mount a man-in-the-middle attacks, akin to those used in sophisticated banking Trojans, a prime example being the $6 million cyber heist described in this LastWatchdog investigation. Dispensa describes this most recent SSL security hole — and the threat it poses — in this exclusive LastWatchdog guest blogpost.
By Steve Dispensa
CTO, PhoneFactor
While my colleague Marsh Ray and I were conducting tests on PhoneFactor’s authentication platform in August, Marsh discovered a significant vulnerability in SSL that exists in every web server that uses this 13 year old security protocol. Typically, man-in-the-middle attacks use malware installed on a user’s computer and are tied to countless incidents of fraud. The newly discovered SSL vulnerability allows the same type of man-in-the-middle attack but does not require either the user’s computer or the website be compromised.
The vulnerability exposes users connecting to an unsecured Wi-Fi network or a compromised router to a man-in-the-middle attack, which allows an attacker to inject malicious data and commands into the authenticated SSL communications path. The privacy provided by SSL remains intact, but an attacker would have the ability to insert new commands – to change the user’s email address and password or initiate transactions like wire transfers. This can be done without either the client or server being able to detect the attack.
Knowing the extensive ramifications of this vulnerability, we quickly assembled a group of affected vendors – Google, Cisco, Juniper, Microsoft and others – and the relevant standards organizations to create a strategy to patch the vulnerability and resolve the underlying issue with the SSL protocol itself. Ultimately, all SSL libraries will need to be patched, and most client and server applications will need to include new copies of SSL libraries in their products. Eventually, most users will need to update any software that uses SSL. Several vendors already have implemented changes and are shipping code, but the process will take some time. You can track the vendor community’s progress here .
It is concerning to know that such a fundamental problem has existed in such a widely used and trusted protocol for at least the last 13 years. The phrase “trust, but verify” takes on a whole new meaning with this SSL vulnerability.
