Must Read: Sorry, but bringing back the Start menu won't help Windows 8

Topic: Browser

Zero-day flaw found in web encryption

Summary: A zero-day flaw in the TLS and SSL protocols, which are commonly used to encrypt web pages, has been made public.

Tom Espiner

By |

Security researchers Marsh Ray and Steve Dispensa unveiled the TLS (Transport Layer Security) flaw on Wednesday, following the disclosure of separate, but similar, security findings. TLS and its predecessor, SSL (Secure Sockets Layer), are typically used by online retailers and banks to provide security for web transactions.

Ray, who along with Dispensa works for two-factor authentication company PhoneFactor, explained in a blog post on Thursday that he had initially discovered the flaw in August, and demonstrated a working exploit to Dispensa at the beginning of September.

The flaw in the TLS authentication process allows an outsider to hijack a legitimate user's browser session and successfully impersonate the user, the researchers said in a technical paper.

For more, read "Zero-day flaw found in web encryption " on ZDNet UK.

Topics: Browser, Networking, Security

About

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Google+ Contact

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion

  • Bad one

    Because the bug is actually in the spec (and
    because of an incomplete spec) there is no
    obvious solution which will not risk breaking a
    lot of software.

    On the positive side, the vuln can only be
    exploited by someone on the network path (it is
    a man-in-the-middle attack), which means that
    your network admin, the admins at your ISP (and
    intelligence services) etc. can use this to
    snoop on traffic, but a malicious site can not.
    honeymonster
    Reply Vote

    • wireless too

      And if someone knows what they are doing, using various wireless technologies could likely be sniffed and spoofed too.
      richard233
      Reply Vote

  • Cue...

    Morrons that will say: This flaw only works on windows because of the invulnerability shield that Linux/Macs have from their Unix origin.

    PS: It's a bad one... I hope it will be fixed even if the possibility of exploitation is low.
    Ceridan
    Reply Vote

    • A true cross-platform flaw

      The TLS protocol does not care which OS you are using. This flaw is truly cross-platform. So much for fanboys...
      barence773
      Reply Vote
CNET Join | Log In | Privacy | Cookies Close