Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| Zero-day flaw found in web encryption
»news.zdnet.co.uk/security/0,1000···ent;col1
quote:
Security researchers Marsh Ray and Steve Dispensa unveiled the TLS (Transport Layer Security) flaw on Wednesday, following the disclosure of separate, but similar, security findings. TLS and its predecessor, SSL (Secure Sockets Layer), are typically used by online retailers and banks to provide security for web transactions.
quote:
The flaw in the TLS authentication process allows an outsider to hijack a legitimate user's browser session and successfully impersonate the user, the researchers said in a technical paper.
The fault lies in an "authentication gap" in TLS, Ray and Dispensa said. During the cryptographic authentication process, in which a series of electronic handshakes take place between the client and server, there is a loss of continuity in the authentication of the server to the client. This gives an attacker an opening to hijack the data stream, they said.
In addition, the flaw allows practical man-in-the-middle attacks against hypertext transfer protocol secure (Https) servers, the researchers said. Https is the secure combination of http and TLS used in most online financial transactions.
Also see »www.tombom.co.uk/blog/?p=85
This might be interesting to watch.
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool |
|
rawwhide
Zer0
Premium
join:2000-09-03
Zero
clubs:
 ·AT&T DSL Service
| said by Link Logger  :This might be interesting to watch. Blake Interesting indeed. This isnt specific to an application, but to the protocol.
Cases not involving client certificates have been demonstrated as well. Although this research has focused on the implications specifically for HTTP as the application protocol, the research is ongoing and many of these attacks are expected to generalize well to other protocols layered on TLS.
--
To talk much and arrive nowhere is the same as climbing a tree to catch a fish. |
|
TKJunkMail
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ | reply to Link Logger
Additional discussion online here:
»tech.yahoo.com/news/zd/20091105/tc_zd/245762 |
|
VikingBob
join:2004-06-05
Ste Anne, MB | reply to Link Logger
Interesting may be an understatement... |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| No doubt this will be interesting but what sites and how this can be used against is what will make this interesting as not every site is vulnerable as there are some 'depends on' conditions here, but I don't think everyone has thought this through all the way as I'm thinking there could be a couple of 'cases' that haven't been thought of or explored and those will make this potentially very interesting.
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool |
|
The Snowman
Premium
join:2007-05-20
·Verizon Online DSL
| reply to Link Logger
This exploit has been known for several months an only after a tech accidentially leaked it did the company that discovered it decide to go public........it was post on msn yesterday with details. I don't have that link.
The problem is with the protocol. |
|
VikingBob
join:2004-06-05
Ste Anne, MB
·MTS
| reply to Link Logger
Re: Zero-day flaw found in web encryption
More details at »isc.sans.org/diary.html?storyid=7543
Due to the recent publishing of information regarding a TLS/SSL protocol vulnerability (previous ISC diary entry can be found here » isc.sans.org/diary.html?storyid=7534) OpenSSL has released a new version (OpenSSL 0.9.8l). It should be noted that this update does not "fix" the vulnerability in the protocol. It appears that they have made the choice to simply remove TLS/SSL renegotiation from their package by default. |
|
