The encryption of Internet traffic is the key to prevent unauthorized access to, among other login information and other sensitive data sent between a user's computer and a server at the other end.
Therefore, it becomes a problem if we no longer can rely on the solution that takes care of the encryption. This now seems to be the case for technology Transport Layer Security (TLS), which is used to encrypt many different types of Internet-based services, including IP telephony, e-mail and Web applications. The problem will also apply to SSL v3 (Secure Sockets Layer) and older.
In a blog post writes Marsh Ray and Steve Dispenses that Ray already in August discovered a bug in TLS that allows for multiple types of "man in the middle" attacks that are related to renegotiation. This gives the attacker the ability to inject an arbitrary number of clear text at the beginning of the protocol stream to the application.
Ray and Dispenses has focused on what this has to say for HTTPS (Hypertext Transfer Protocol Secure), ie the protocol that among other things used in connection with banking services. In a document describing the several types of attacks, including one where the attacker can perform an optional HTTP transaction, which is authenticated by a legitimate user.
Security researcher Chris Paget comment on the issue in this blog post. He believes that the vulnerability does not have great significance in connection with HTTP, since it does not do something that has already been possible through other methods. However, the vulnerability allows an attacker to interfere with other types of SSL / TLS-protected data traffic, for example, traffic between a database server and an application. Paget also mentions that thousands of mechanisms for updating the software depends on the SSL.
- This is a violation of the protocol level, one that requires a change in the way the SSL and TLS functions, in order to repair it, writes Paget.
According to ZDNet UK the Industry Consortium for the Advancement of Security on the Internet (Icasi) been notified Ray and dispenses about the findings. The same applies to the IETF (Internet Engineering Task Force) and a number of open source projects that are behind the SSL implementations.
The 29 September to the various groups have had a joint meeting and come forward to create a project, Project Mogul, which will handle the problem. The project will first concentrate on creating a protocol extension. But this will only be a temporary solution. Project Mogul was however also the name of a much-talked balloon project with the U.S. military.
A draft of the protocol extension can be found here.
The problem with weaknesses in the protocols is that they must be addressed in any software that uses the protocol. There is no gain in this case, and it may take a long time before all have been updated and rolled out.
