SSL flaw prompts security scramble

The SSL flaw could allow an attacker to execute a 'man in the middle' attack

The discovery of a new flaw in the Secure Socket Layer (SSL) protocol is prompting networking and security vendors to issue warnings.

Mobile security vendor PhoneFactor said that the vulnerability was discovered in the transmission of data through SSL connections. The flaw could allow an attacker to execute a 'man in the middle' attack in which information is altered and then sent without user knowledge.

According to PhoneFactor, the flaw is present in the SSL standard itself, meaning that all systems using the protocol could be vulnerable to attack.

"Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching," said PhoneFactor chief technology officer Steve Dispensa.

"All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products."

No attacks in the wild have yet been reported, and PhoneFactor said that major hardware, networking and server software vendors were notified and advised more than one month prior to disclosing the flaw.

Tim Callan, vice president of marketing at VeriSign, told V3.co.uk that his company's researchers do not believe that the flaw poses a major risk to end users.

Callan explained that, although the vulnerability allows an attacker to add malicious code to outgoing SSL traffic, it does not allow an attacker to decrypt the information and spy on the data being sent.

Instead, the flaw functions in a similar way to a hole in the firewall, allowing attack code to slip through server security protections as trusted SSL data.

"There is no opportunity to spy on your bank account or anything like that," said Callan. "Essentially this is a network vulnerability. Once the malicious code is inside, you have a whole world of exploits that can be performed."

Callan said that the vulnerability is far-reaching, but is not on the level of previous widespread flaws, such as the 2008 DNS vulnerability.

"It is clever but, in terms of the real world, it will not have a large impact," he said. "At this point we are in the normal realm of security vulnerability patching."

Network and server administrators will need to download and install a patch from operating system vendors, but end users will not need to install any urgent updates.