A researcher from Lucent?s Bell Labs has found a security flaw in SSL that could allow hackers to retrieve encrypted data from 'secure' Internet sessions.
Secure Sockets Layer (SSL) is commonly used on Web servers whenever sensitive data, such as personal information or credit card details, are passed over the Internet.
Every time a user enters a secured area on a Web site, an encrypted session is set up. It now appears that there is a way for a hacker to determine the encryption key used for a particular encrypted session, by sending up to a million messages to the server and observing the error messages this generates.
Once a hacker obtains the key, he can recover information that was included in the encrypted session ? for instance credit card details. But he must repeat the attack for every session he wishes to crack.
The security flaw was discovered by Daniel Bleichenbacher of Lucent?s Bell Labs Secure Systems Research. There are no reports of it actually having been used by hackers.
Normally, the stream of error messages generated by such an approach, should alarm a network administrator, limiting the chance of an actual attack succeeding.
The flaw is caused by a weakness in the Public Key Encryption Standard #1, developed by RSA Laboratories. But other secure protocols based on RSA public key encryption, such as Secure Electronic Transactions (SET) and Secure Multipurpose Internet Mail Extension (S/MIME), are apparently not affected.
The Lucent researchers were kind enough to inform major Internet software developers two weeks before they broke the news, so fixes for the problem are ready to ship. Netscape has a patch for its various servers, and Microsoft has posted a single fix for Internet Information Server, Site Server and Exchange. Both vendors? patches work by masking the error messages that the attack depends on.
Privilege escalation bug already being exploited in the wild
NASA's Voyager 2 probe set to reveal secrets of space beyond the heliosphere as it goes interstellar
The probe is now more than 18 billion kilometres from Earth, with equipment enabling it to reveal some of the secrets of interstellar space
Four glaciers located west of massive Totten glacier have lost almost three metres of ice in height since 2008
Ceres, located in the asteroid belt, has a carbonaceous-rich upper crust, SwRI study claims