A newly disclosed SSL security hole allows savvy attackers to inject data into supposedly secure streams of the encryption standard, but while standards bodies and major vendors are quickly working to plug the vulnerability, it seems the attack avenues are currently relatively minimal.
As The Register reported on the SSL bug:
Indeed, Moxie Marlinspike a security researcher who has repeatedly exposed serious shortcomings in SSL, said the attacks were hard to pull off in the real world, in large part because they appeared to target a rarely used technology known as client certificate authentication.
“It’s clever, but to my knowledge the common cases in which the majority of people use SSL (webmail, online banking, etc.) are currently unaffected,” he wrote in an email. “I haven’t found these attacks to be very useful in practice.”
The security hole has been known since August in some circles, with ICASI (Industry Consortium for Advancement of Security on the Internet) heading up “Project Mogul,” an attempt to roll out an industry-wide set of security patches in a coordinated manner.