A critical new flaw in SSL, or the Secure Sockets Layer used to protect Web traffic for online banking, shopping, and any other https connection, allows an attacker to break into any theoretically secured connection and add malicious commands.
Taking advantage of the flaw requires accessing the specific network traffic between a client, such as a Web browser, and a Web or other server. That means most home users probably wouldn’t be specifically targeted by one of these potential man-in-the-middle attacks, according to discoverer Marsh Ray, a security researcher at PhoneFactor, which provides phone-based two-factor authentication solutions.
However, businesses and organizations are likely targets. Per Ray, any SSL-protected traffic could potentially be vulnerable, whether it’s for an https site, secured database communications, or a secured e-mail connection. The problem doesn’t allow for decrypting and stealing SSL-encrypted data outright, but instead allows for inserting any command into the communications stream.
That would be bad enough for https traffic, where a victim Web browser could be made to post data to an attacker-controlled site. And it could prove devastating for a database server.
Ray says PhoneFactor originally found the flaw in August while performing internal security testing and kept it quiet while affected vendors and software groups worked on a fix. But in the meantime, an independent researcher also found the flaw and the news broke.
Patches are underway but not yet available. The currently proposed fix will require patching all client and server applications, including Web browsers, e-mail programs and any other programs using SSL libraries, according to Ray.
PhoneFactor’s post on the problem is up on the company’s site , and a security researcher named Chris Paget has posted his thoughts on the subject (scroll down to the comments to see some back-and-forth between Ray and Paget). The IDG news service also has a good story up on the topic.