New SSL Vulnerability: Serious or Not?

Every now and then a new SSL vulnerability hits the headlines in the trade press. Even the slightest possiblity of weaknesses in SSL send shock waves through the security community. An exploit against SSL, so goes the convential wisdom, stabs right at the heart of e-commerce, because SSL is the basis for securing transactions over the web.

And, it happened again this week, when a pair of researchers at PhoneFactor, a two-factor authentication company, said they found a fundamental flaw in the SSL protocol, which would allow an attacker to use a Man-In-The-Middle (MITM) attack to hijack an SSL session and secretly execute commands.

The commands could be used to reset passwords, for example, in one of the multiple sessions comprising a single encrypted SSL transaction. Attacks have already been tested against both Apache and Microsoft IIS web servers communicating with different client applications.

Researchers from a consortium of tech heavyweights have been meeting behind closed doors since September to patch the flaw, which will require a fix for all SSL libraries and patches for any software, not just browsers, that use the encryption protocol.

But another security researcher, Moxie Marlinspike, an expert on SSL flaws, said the vulnerability would have no impact on e-commerce. Marlinspike said, first, the exploit involves injecting code and not intercepting traffic, making it of limited value to an attacker targeting online transaction. And, second, the attack requires client-certificate authentication, which is rarely used in SSL authentication.