Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Security researchers at mobile phone authentication vendor PhoneFactor said they have discovered a serious vulnerability in Secure Sockets Layer (SSL) technology, a common security mechanism used to protect online communications. SSL, the most common data security protocol on the internet, is used to encrypt online banking and commerce transactions, and to secure email and database access. The vulnerability, described as an SSL authentication gap, results from an underlying weakness in the SSL protocol standard, the researchers said. Because of the vulnerability, an attacker could launch a man-in-the-middle attack to intercept an SSL-protected session, then surreptitiously execute commands, according to PhoneFactor. During the attack, both a web server and browser would have no idea the session had been hijacked, researchers said. This vulnerability makes SSL-protected online banking sessions potentially susceptible to attack, they said. In addition, some back-office systems, mail and database servers could be susceptible.The vulnerability will require all SSL libraries to be patched, said PhoneFactor CTO Steve Dispensa. In addition, most client and server applications will need to include new SSL libraries in their products, and users will need to update any software that uses SSL.The flaw was discovered in August by PhoneFactor's Marsh Ray and Steve Dispensa.Since September, the pair have been working with a consortium of affected vendors and standard bodies to fix the vulnerability. The group has come to an agreement about how to repair the underlying issue with the SSL protocol standard and patch SSL libraries. In addition, the group has created a set of recommended methods for mitigating the vulnerability. PhoneFactor's Ray and Dispensa initially volunteered to hold off on disclosing the vulnerability publicly until 2010 to give vendors time to make the necessary patches available. But on Wednesday, an independent researcher who had discovered the flaw posted details about it to an internet mailing list. News of the bug rapidly spread through the security community, prompting Ray and Dispensa to go public with their findings. See original article on scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.