Newsletter logo   Search News     Daily News   
Breaking News: Political Freedom in the Middle East a Must

Published:
Send to a friend

PhoneFactor Discovers Major Vulnerability in SSL Authentication

Marsh Ray and Steve Dispensa Discover a Gap in SSL Authentication That Makes It Vulnerable to Man-in-the-Middle Attacks

PhoneFactor, a leading global provider of two-factor security services, today announced that Marsh Ray and Steve Dispensa of PhoneFactor discovered a serious vulnerability in SSL, the most common data security protocol on the Internet. The SSL Authentication Gap allows an attacker to mount a man-in-the-middle attack, and affects the majority of SSL-protected servers on the Internet. Specifically, the vulnerability allows the attacker to inject himself into the authenticated SSL communications path and execute commands. Furthermore, both the web server and the web browser generally have no idea their session has been hijacked.

The vulnerability results from a weakness in the SSL protocol standard (formally known as Transport Layer Security, or TLS). As such, most SSL implementations are vulnerable in one way or another. Affected scenarios include web surfers doing online banking, back-office systems using web services-based protocols, and non-HTTP applications such as some mail servers, database servers, and so on.

"Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching," said Steve Dispensa, CTO of PhoneFactor. "All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products. Most users will eventually need to update any software that uses SSL."

To address the issue, the PhoneFactor team organized a working group of affected vendors, together with representatives from the appropriate standards committees. The group reached a consensus on how to address the underlying issue with the SSL Standard and patch the SSL libraries and also created a set of recommended methods for mitigating the vulnerability.

News of the vulnerability broke when a member of an IETF working group independently discovered the issue and posted it to an IETF mailing list on November 4th. Word quickly spread through the IT security community.

"The discovery of this vulnerability speaks to a larger issue with single channel authentication protocols," said Dispensa. "While this vulnerability is larger in scope than many, man-in-the-middle attacks have been a known threat for some time. Out-of-band protocols should be considered when possible to help mitigate the risk of these attacks."

More information is available at http://www.phonefactor.com/sslgap/.

About PhoneFactor

PhoneFactor is an award-winning two-factor authentication service that uses any phone as a second form of authentication. Its out-of-band architecture and real-time fraud alerts provide strong security for enterprise and consumer applications. PhoneFactor is easy and cost effective to set up and deploy to large numbers of geographically diverse users. PhoneFactor was recently named to the Bank Technology News FutureNow list of the top 10 technology innovators securing the banking industry today. Learn more at www.phonefactor.com.

Tags: ,Computers and Software:Internet, ComputersandSoftware:Software, Telecom:Networking, Telecom:TelecommunicationEquipment, Telecom:TelecommunicationServices, ,KS,OVERLAND PARK, KS

  care2 logo  digg logo  
 

Be Interviewed today

Editorial Cartoons
Political Cartoons

newsletter logo
Get Chitika Premium


NewsBlaze on Twitter
NewsBlaze on Facebook
NewsBlaze on MySpace

View Alan Gray's profile on LinkedIn


Sponsor Links:

Writers Wanted
Help NewsBlaze provide daily news, including top stories, Home and Garden, Technology, The Environment and more. NewsBlaze Writer
Relevant Sites:
NewsBlaze 
Copyright © 2004-2009 NewsBlaze LLC
Use of this website is subject to our Terms of Service and Privacy Policy       Support    Press Room