Debate Flares Over Microsoft's SSL Glitch

After the dust settled around last week's revelation of a security flaw that affects Microsoft's Web browser, network executives were left with another patch to apply to their Windows operating systems and a debate about the severity of the problem.

Those who don't apply the patch will risk leaving the door open for savvy hackers to grab data such as credit-card numbers encrypted using Secure Sockets Layer, a standard for securing traffic on the Internet. The flaw is that Microsoft's Internet Explorer does not validate certificates used to identify a Web site as part of SSL transactions. That can let hackers who create bogus certificates put themselves in the middle of a supposedly secure transaction and intercept data.

Microsoft says the SSL problem resides in the Windows operating system and not its browser, although the problem manifests itself through that application. Therefore, Microsoft is working on a patch for Windows 98, ME, NT4, 2000, and XP that would change the way the operating system handles SSL certificate verification. The firm did not say when the patch would be available.

Detailing the Problem

"This SSL flaw has been described as an [Internet Explorer] problem, but it is a Windows issue. It's in the crypto of the operating system so we have to patch the [operating system]," says Scott Culp, manager of the Microsoft Security Response Center. "[Internet Explorer] is a consumer of those crypto services." Culp says the flaw only affects Internet Explorer.

Culp says the flaw is in operating system code that performs validation of SSL certificate chains, the hierarchy of trust that cascades from certificate authorities such as VeriSign. The operating system must be patched because Internet Explorer does not have its own cryptography code, instead relying on the operating system for that service, Culp says.

Microsoft officials say they have yet to determine how the flaw affects versions of Internet Explorer for Unix and Macintosh.

Degree of Difficulty

Culp says the attack is complex to carry out because a hacker would have to trick a user onto a bogus Web site or redirect Internet traffic by hacking into the DNS, which governs the routing of Internet traffic.

But independent researcher Mike Benham, who discovered the flaw, says exploits are not far-fetched and network executives should take the threat seriously.

"These types of attacks are what SSL was meant to protect against," Benham says. "If these types of attacks were so hard, no one would have to use SSL."

Cryptography expert Bruce Schneier, chief technology officer of Counterpane Internet Security, says the threat of redirecting or tricking users onto rogue Web sites is real. "Just this week my wife got an e-mail trying to direct her onto a forged eBay site," Schneier says. "This type of social engineering is more common than many think because people don't know what an IP address is or where it should be taking them."

Easy to Trace?

But VeriSign officials say a hacker needs a valid SSL certificate to create a bogus certificate. "In order to obtain a valid certificate from us you need to identify yourself," says Ben Golub, senior vice president for trust and payment services at VeriSign, which has 400,000 certificates in circulation. "That makes you easy to trace."

VeriSign scans the Web regularly for expired and revoked certificates, and searches for bogus certificates as well," he says.

Even successful exploits may bear little fruit, some say.

Exploiting the flaw to crack SSL remote-access security would be a lot of effort for little results, says Elad Baron, chief executive officer of SSL remote-access vendor Whale Communications. The attacker would have to divert traffic from the real server to a phony one that appeared to be the real site, he says. The user then would submit his username and password, which the hacker would use to gain access to the protected site. Then the attacker would be limited to just the resources that were available to the person whose user name and password were hijacked.

"When you are talking about e-mail, what are you going to get? There are much easier ways to get someone's username and password in real life," Baron says.