Tech companies are rushing to patch the SSL security protocol following the discovery of a potentially “devastating” flaw
Researchers have discovered a hole in the secure sockets layer (SSL) protocol, enabling man-in-the-middle attackers to hack into secure applications despite traffic encryption.
According to security researcher Chris Paget, hackers can exploit this flaw by breaking into shared hosting environments, mail servers and databases, and inserting text into encrypted traffic as it passes between two end users. This could lead to fragmentation of SSL transactions, giving hackers the opportunity to inject false commands such as password resets into communications which are otherwise encrypted.
“An attacker who has the ability to inject a single arbitrary-length request into a stream of SQL [structured query language] queries and responses would be devastating,” said Paget in a blog post. “Your implementation of SSL can be completely compliant with the protocol, completely immune to code-level vulnerabilities, completely fine at managing its keys, and using ciphers that are completely unbroken, and you are still vulnerable.”
SSL vulnerabilities have been forced into the spotlight since January, when security researchers successfully created a rogue certificate authority by using a colliding certificates attack, in order to demonstrate the need to constatly update security defenses. In August researchers also uncovered several new attacks on the infrastructure of SSL’s digital certificates, which attempted to compromise SSL traffic. However, the latest flaw is buried in the protocol itself, posing a much more serious threat.
According to PhoneFactor software developers Marsh Ray and Steve Dispensa, who uncovered the flaw, some of the world’s biggest technology companies are now making moves to establish a new industry standard that will overcome the vulnerability. Developers from OpenSSL and GnuTLS have already developed patches, and are currently in the process of testing them.
“A meeting was held at a helpful company’s headquarters in Mountain View, CA on September 29, where tentative agreement was reached on a preliminary solution in the form of a protocol extension,” Ray said in a public statement.
Despite the potentially devastating consequences of an attack on on the SSL protocol, several commentators have pointed out such an attempt to exploit the vulnerability would be very difficult to carry out in the real world.
“A man-in-the-middle attack on the internet requires some other weakness to be exploited (in addition to this one) for the bad man to actually get ‘in the middle’ of your network traffic,” Ray told eWEEK Europe. “It’s probably not going to be noticeable for the vast majority of Internet users, although it is still critical that they apply the fixes as they become available from their respective vendors.”
Security researcher Moxie Marlinspike also told the Register “It’s clever, but to my knowledge the common cases in which the majority of people use SSL (webmail, online banking, etc.) are currently unaffected… I haven’t found these attacks to be very useful in practice.”