ie8 fix
madison
Home / News & Blogs

Zero-day flaw found in web encryption

Tom Espiner ZDNet UK | November 5, 2009 9:41 AM PST

Summary

A zero-day flaw in the TLS and SSL protocols, which are commonly used to encrypt web pages, has been made public.

Topics

Web, Flaw, TLS, SSL, Zero-day Bug, Ssl/Tls, Network Security, Channel Management, Networking, Marketing, zero day, security, encryption, Tom Espiner ZDNet UK
Security researchers Marsh Ray and Steve Dispensa unveiled the TLS (Transport Layer Security) flaw on Wednesday, following the disclosure of separate, but similar, security findings. TLS and its predecessor, SSL (Secure Sockets Layer), are typically used by online retailers and banks to provide security for web transactions.

Ray, who along with Dispensa works for two-factor authentication company PhoneFactor, explained in a blog post on Thursday that he had initially discovered the flaw in August, and demonstrated a working exploit to Dispensa at the beginning of September.

The flaw in the TLS authentication process allows an outsider to hijack a legitimate user's browser session and successfully impersonate the user, the researchers said in a technical paper.

For more, read "Zero-day flaw found in web encryption " on ZDNet UK.

4
Comments
Add Your Opinion

Join the conversation!

Just In

wireless too
richard233 11th Nov 2009
And if someone knows what they are doing, using various wireless technologies could likely be sniffed and spoofed too.
View in thread
0 Votes
+ -
Bad one
honeymonster 5th Nov 2009
Because the bug is actually in the spec (and
because of an incomplete spec) there is no
obvious solution which will not risk breaking a
lot of software.

On the positive side, the vuln can only be
exploited by someone on the network path (it is
a man-in-the-middle attack), which means that
your network admin, the admins at your ISP (and
intelligence services) etc. can use this to
snoop on traffic, but a malicious site can not.
0 Votes
+ -
wireless too
richard233 11th Nov 2009
And if someone knows what they are doing, using various wireless technologies could likely be sniffed and spoofed too.
0 Votes
+ -
Cue...
Ceridan Updated - 5th Nov 2009
Morrons that will say: This flaw only works on windows because of the invulnerability shield that Linux/Macs have from their Unix origin.

PS: It's a bad one... I hope it will be fixed even if the possibility of exploitation is low.
0 Votes
+ -
A true cross-platform flaw
barence773 8th Nov 2009
The TLS protocol does not care which OS you are using. This flaw is truly cross-platform. So much for fanboys...

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

ie8 fix