Zero-day flaw found in web encryption
Links: home · search · speed test · login · more ·
 
Links: Reply New Topic
Forums » Security » Security » Zero-day flaw found in web encryption

Link Logger @ 5th Nov 02:11PM:
Zero-day flaw found in web encryption

»news.zdnet.co.uk/security/0,1000···ent;col1

quote:
Security researchers Marsh Ray and Steve Dispensa unveiled the TLS (Transport Layer Security) flaw on Wednesday, following the disclosure of separate, but similar, security findings. TLS and its predecessor, SSL (Secure Sockets Layer), are typically used by online retailers and banks to provide security for web transactions.


quote:
The flaw in the TLS authentication process allows an outsider to hijack a legitimate user's browser session and successfully impersonate the user, the researchers said in a technical paper.

The fault lies in an "authentication gap" in TLS, Ray and Dispensa said. During the cryptographic authentication process, in which a series of electronic handshakes take place between the client and server, there is a loss of continuity in the authentication of the server to the client. This gives an attacker an opening to hijack the data stream, they said.

In addition, the flaw allows practical man-in-the-middle attacks against hypertext transfer protocol secure (Https) servers, the researchers said. Https is the secure combination of http and TLS used in most online financial transactions.


Also see »www.tombom.co.uk/blog/?p=85

This might be interesting to watch.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool
reply
rawwhide @ 5th Nov 04:21PM:
Re: Zero-day flaw found in web encryption

said by Link Logger :

This might be interesting to watch.

Blake
Interesting indeed. This isnt specific to an application, but to the protocol.
Cases not involving client certificates have been demonstrated as well. Although this research has focused on the implications specifically for HTTP as the application protocol, the research is ongoing and many of these attacks are expected to generalize well to other protocols layered on TLS.

--
To talk much and arrive nowhere is the same as climbing a tree to catch a fish.
reply
TKJunkMail @ 5th Nov 04:48PM:
Re: Zero-day flaw found in web encryption

Additional discussion online here:
»tech.yahoo.com/news/zd/20091105/tc_zd/245762
reply
VikingBob @ 5th Nov 10:57PM:
Re: Zero-day flaw found in web encryption

Interesting may be an understatement...
reply
Link Logger @ 6th Nov 01:45AM:
Re: Zero-day flaw found in web encryption

No doubt this will be interesting but what sites and how this can be used against is what will make this interesting as not every site is vulnerable as there are some 'depends on' conditions here, but I don't think everyone has thought this through all the way as I'm thinking there could be a couple of 'cases' that haven't been thought of or explored and those will make this potentially very interesting.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool
reply
The Snowman @ 6th Nov 03:22AM:
Re: Zero-day flaw found in web encryption



This exploit has been known for several months an only after a tech accidentially leaked it did the company that discovered it decide to go public........it was post on msn yesterday with details. I don't have that link.
The problem is with the protocol.
reply
anon @ 7th Nov 02:16AM:
msg deleted

deleted by a moderator
reply
VikingBob @ 7th Nov 09:30AM:
Re: Zero-day flaw found in web encryption

More details at »isc.sans.org/diary.html?storyid=7543

Due to the recent publishing of information regarding a TLS/SSL protocol vulnerability (previous ISC diary entry can be found here »isc.sans.org/diary.html?storyid=7534) OpenSSL has released a new version (OpenSSL 0.9.8l). It should be noted that this update does not "fix" the vulnerability in the protocol. It appears that they have made the choice to simply remove TLS/SSL renegotiation from their package by default.

reply

Thank you for using lo-fi dslreports.com - report bugs
© 99-2009 silver matrix LLC