madison
Home / News & Blogs

Zero-day flaw found in web encryption

Tom Espiner ZDNet UK | November 5, 2009 9:41 AM PST

Summary

A zero-day flaw in the TLS and SSL protocols, which are commonly used to encrypt web pages, has been made public.

Topics

Web, Flaw, TLS, SSL, Zero-day Bug, Ssl/Tls, Network Security, Channel Management, Networking, Marketing, zero day, security, encryption, Tom Espiner ZDNet UK
Security researchers Marsh Ray and Steve Dispensa unveiled the TLS (Transport Layer Security) flaw on Wednesday, following the disclosure of separate, but similar, security findings. TLS and its predecessor, SSL (Secure Sockets Layer), are typically used by online retailers and banks to provide security for web transactions.

Ray, who along with Dispensa works for two-factor authentication company PhoneFactor, explained in a blog post on Thursday that he had initially discovered the flaw in August, and demonstrated a working exploit to Dispensa at the beginning of September.

The flaw in the TLS authentication process allows an outsider to hijack a legitimate user's browser session and successfully impersonate the user, the researchers said in a technical paper.

For more, read "Zero-day flaw found in web encryption " on ZDNet UK.

Talkback Most Recent of 4 Talkback(s)

  • Bad one
    Because the bug is actually in the spec (and
    because of an incomplete spec) there is no
    obvious solution which will not risk breaking a
    lot of software.

    On the positive side, the vuln can only be
    exploited by someone on the network path (it is
    a man-in-the-middle attack), which means that
    your network admin, the admins at your ISP (and
    intelligence services) etc. can use this to
    snoop on traffic, but a malicious site can not.
    ZDNet Gravatar
    honeymonster
    5th Nov 2009
  • wireless too
    And if someone knows what they are doing, using various wireless technologies could likely be sniffed and spoofed too.
    ZDNet Gravatar
    richard233
    11th Nov 2009
  • Cue...
    Morrons that will say: This flaw only works on windows because of the invulnerability shield that Linux/Macs have from their Unix origin.

    PS: It's a bad one... I hope it will be fixed even if the possibility of exploitation is low.
    ZDNet Gravatar
    Ceridan
    5th Nov 2009
  • A true cross-platform flaw
    The TLS protocol does not care which OS you are using. This flaw is truly cross-platform. So much for fanboys...
    ZDNet Gravatar
    barence773
    8th Nov 2009

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity