comp527

course blog for COMP 527: Computer Systems Security

Vulnerability in SSL Protocol.

with 2 comments

A serious “protocol level” vulnerability is reported to be found in SSL. (see here)

According to the website of the company who discovered the vulnerability (link), which they call SSL authentication gap  : “Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching. All SSL libraries will need to be patched.”

It is surprising to know that such a widely used protocol can be vulnerable.

Written by sshekhar

November 5th, 2009 at 1:42 pm

Posted in Uncategorized

« Google Chrome Comic Book
iPhones hacked again … This time in Australia »

2 Responses to 'Vulnerability in SSL Protocol.'

Subscribe to comments with RSS

  1. This was indeed a surprise! Check this out too: http://arstechnica.com/security/news/2009/11/https-ssl-attack-vector-discovered-fix-is-on-the-way.ars

    And when you check online your account balance tonight, think that someone may be eavesdropping >:)

    as44

    6 Nov 09 at 5:31 pm

  2. Well actually this vulnerability does not allow eavesdropping, only tampering with the initial portion of a session. The problem is that SSL renegotiation is designed to allow for switching the security, and then continuing without requiring the streams to be reopened. However, due to this style of MITM attack, the streams should be considered to come from different sources potentially.

    Also, this vulnerability affects many other protocols routed over TCP (such as SMTP over TLS)

    yuliyp

    7 Nov 09 at 5:29 am

Leave a Reply

You must be logged in to post a comment.