SSL flaw discovered and fixed

Researchers have discovered a new security flaw in Secure Sockets Layer (SSL) protocols, one of the most widely used encryption standards.

Researchers at the Security and Cryptography Laboratory at the Swiss Federal Institute of Technology in Lausanne, found that email passwords sent via SSL are vulnerable to a form of 'side-channel' attack.

Unlike normal attacks on code that involve comparing the unencrypted and encrypted message and attempting to recover the encryption key, side-channel attacks look at other information in an attempt to crack the code, such as the time taken to perform an operation and how power consumption changes.

In this particular case the researchers attempted to decrypt the SSL data and closely monitored the time it took to get an error message sent back.

From this they were able to narrow their focus to specific sections of the message and discover the contents.

The timing differences are minute - just hundredths of a second - and the method requires multiple tries over a laboratory standard network connection to allow for successful monitoring.

A student doing a seminar project at a lab found that if he monitored Microsoft Outlook he was able to divine email passwords, but only because Outlook resends authentication data on files held in the program every five minutes using SSL.

But experts said that, while the flaw is interesting, it would be very hard to use in real life. The latest version of SSL has solved this problem and is available for installation.

"It's incredibly unlikely that this will have an effect against secure web servers," said Mark Cox, founding member of OpenSSL, the forum which designed SSL.

"There's no exploit out there and it's probably impossible to get sensitive information unless it's sent hundreds of times over a really good network connection. Your average web user is not at risk."

Earlier this year Bert Kaliski, head of RSA Labs, told vnunet.com that such side-channel methods are forcing the security industry to think again.

"Side-channel attacks are causing a fundamental rethink in the way we write encryption software," he said. "As the methods used become automated, our job is getting tougher."