New SSL Security Flaw Leaves Browsers Vulnerable

A major flaw in the Secure Sockets Layer protocol (SSL) has been uncovered by security researchers with PhoneFactor, a firm providing phone-based authentication. SSL is an technology used widely for online banking, secure e-mail and database access, and other online applications, in order to protect sensitive data in online transactions.

The vulnerability was first discovered in August and disclosed by security researchers Marsh Ray and Steve Dispensa to a major tech industry consortium in September. Disclosure to the general public was not to be until next year, in order to give affected companies time to update their software with a fix, but another security researcher independently discovered the vulnerability, then posted it November 4th to an Internet Engineering Task Force mailing list, prompting the other researchers to go public. Now software developers are working overtime to get patches in place.

"The SSL Authentication Gap allows an attacker to mount a man-in-the-middle attack, and affects the majority of SSL-protected servers on the Internet", said Steve Dispensa of PhoneFactor. "Specifically, the vulnerability allows the attacker to inject himself into the authenticated SSL communications path and execute commands. Furthermore, both the web server and the web browser generally have no idea their session has been hijacked. All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products. Most users will eventually need to update any software that uses SSL."

The exact mechanism of the exploit was not disclosed, but the researchers do point out that a security breach would likely only occur in combination with one or more other vulnerabilities, such as a DNS flaw or unsecured home router.