Banks, tech giants open to web interception attacks

The websites of eBay, PayPal, Microsoft and possibly Facebook are among scores vulnerable to an almost three-year-old TLS/SSL renegotiation flaw.

The flaw allows credentials to be stolen from encrypted data streams.

The vulnerable websites were posted on a list operated by Linux programmer Kai Engert in an effort to highlight that the SSL flaw is still active.

Kai Engert

The flaw (CVE-2009-3555) allowed attackers to hijack secure transactions, but with limited access. The attack was demonstrated in 2009 by researcher Anil Kurmus, The Register reported.

However Engert claims the flaw can only be fixed within web servers, not user web browsers, meaning visitors have remained exposed.

“Several major sites, even banking sites, still use a broken server configuration and are likely vulnerable to man-in-the-middle-attacks,” Engert wrote on the blog.

“What happened if a site administrator made a mistake, and accidentally used the wrong configuration? The site would still work, but the attack would work too, and nobody might notice.

“I hereby call the corporations who run those major sites, to increase security on the web, by eliminating these risks by upgrading to software that uses the fixed protocol RFC 5746.”

Engert’s page lists websites vulnerable to the SSL flaw including mobile.paypal.com, checks.bankofamerica.com, storage.adobe.com, shop.oracle.com, and downloadstore.dell.com.

The “arbitrary” list is updated every three hours.

Uses can check whether their browsers support the SSL renegotiation fix at Engert’s website.