Enterprise IT Watch Blog

Nov 5 2009   9:12AM GMT

New SSL security hole allows man-in-the-middle attacks

Michael Morisy Michael Morisy Profile: Michael Morisy

SSL Security Hole meeting

A newly disclosed SSL security hole allows savvy attackers to inject data into supposedly secure streams of the encryption standard, but while standards bodies and major vendors are quickly working to plug the vulnerability, it seems the attack avenues are currently relatively minimal.

As The Register reported on the SSL bug:

Indeed, Moxie Marlinspike a security researcher who has repeatedly exposed serious shortcomings in SSL, said the attacks were hard to pull off in the real world, in large part because they appeared to target a rarely used technology known as client certificate authentication.

“It’s clever, but to my knowledge the common cases in which the majority of people use SSL (webmail, online banking, etc.) are currently unaffected,” he wrote in an email. “I haven’t found these attacks to be very useful in practice.”

The security hole has been known since August in some circles, with ICASI (Industry Consortium for Advancement of Security on the Internet) heading up “Project Mogul,” an attempt to roll out an industry-wide set of security patches in a coordinated manner.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: