Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Software makers struggle to fix Internet security hole

A flaw in SSL protocol lets hackers intercept data

Article comments

Software makers around the world are scrambling to fix a serious bug in the technology used to transfer information securely on the Internet.

The flaw lies in the SSL protocol, best known as the technology used for secure browsing on Web sites beginning with HTTPS, and lets attackers intercept secure SSL (Secure Sockets Layer) communications between computers using what's known as a man-in-the-middle attack.

Although the flaw can only be exploited under certain circumstances, it could be used to hack into servers in shared hosting environments, mail servers, databases, and many other secure applications, according to Chris Paget, a security researcher who has studied the issue.

"It's a protocol-level flaw." said Paget, the chief technology officer with a security consultancy called H4rdw4re. "There's a whole lot of stuff that's going to have to get fixed on this one: Web browsers, web servers, web load balancers, web accelerators, mail servers, SQL Servers, ODBC drivers, peer-to-peer protocols."

Although an attacker would first need to hack into the victim's network to launch the man-in-the-middle attack, the results would then be devastating -- especially if used in a targeted attack to gain access to a database or a mail server, Paget said.

Because it is so widely used, SSL is constantly under the microscope of security researchers. Late last year, researchers found a way to create fake SSL certificates that would be trusted by any browser, and in August researchers unveiled a handful of new attacks that could compromise SSL traffic. But unlike those attacks, which had to do with the infrastructure used to manage SSL's digital certificates, this latest bug lies in the SSL protocol itself and will be much harder to fix.

Further complicating matters is the fact that the bug was inadvertently disclosed on an obscure mailing list Wednesday, forcing vendors into a mad scramble to patch their products.

The issue was discovered in Auguust by researchers at PhoneFactor, a mobile-phone security company. They had been working for the past two months with a consortium of technology vendors called the ICASI (Industry Consortium for Advancement of Security on the Internet) to coordinate an industry wide fix for the problem, dubbed “Project Mogul."

But their careful plans were thrown into disarray Wednesday when SAP engineer Martin Rex stumbled across the bug on his own. Apparently unaware of the seriousness of the issue, he posted his observations on the issue to an IETF (Internet Engineering Task Force) discussion list. It was then publicised by security researcher HD Moore.

By Wednesday afternoon, enough people were talking about the issue that PhoneFactor decided to go public with their findings. "At that point we felt like the bad guys knew and we felt we had a responsibility for the good guys to know too," said Sarah Fender, PhoneFactor's vice president of marketing.

Fender couldn't say who was ready to patch the issue, but she noted that a number of open source products are "anxious" to push out a patch. "I think we'll see some patching in the near future," she said.

The ICASI could not be reached for comment Wednesday evening.

Although security experts say the flaw has probably existed for years, it is not thought to have been exploited in any attacks.

"While we consider it to be a material vulnerability, it's not the end of the world," Fender said.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *