|
PhoneFactor Discovers Major Vulnerability in SSL Authentication
OVERLAND PARK, KS, Nov 05, 2009 (MARKETWIRE via COMTEX) --
PhoneFactor, a leading global provider of two-factor security
services, today announced that Marsh Ray and Steve Dispensa of
PhoneFactor discovered a serious vulnerability in SSL, the most
common data security protocol on the Internet. The SSL Authentication
Gap allows an attacker to mount a man-in-the-middle attack, and
affects the majority of SSL-protected servers on the Internet.
Specifically, the vulnerability allows the attacker to inject himself
into the authenticated SSL communications path and execute commands.
Furthermore, both the web server and the web browser generally have
no idea their session has been hijacked.
The vulnerability results from a weakness in the SSL protocol
standard (formally known as Transport Layer Security, or TLS). As
such, most SSL implementations are vulnerable in one way or another.
Affected scenarios include web surfers doing online banking,
back-office systems using web services-based protocols, and non-HTTP
applications such as some mail servers, database servers, and so on.
"Because this is a protocol vulnerability, and not merely an
implementation flaw, the impacts are far-reaching," said Steve
Dispensa, CTO of PhoneFactor. "All SSL libraries will need to be
patched, and most client and server applications will, at a minimum,
need to include new copies of SSL libraries in their products. Most
users will eventually need to update any software that uses SSL."
To address the issue, the PhoneFactor team organized a working group
of affected vendors, together with representatives from the
appropriate standards committees. The group reached a consensus on how
to address the underlying issue with the SSL Standard and patch the
SSL libraries and also created a set of recommended methods for
mitigating the vulnerability.
News of the vulnerability broke when a member of an IETF working
group independently discovered the issue and posted it to an IETF
mailing list on November 4th. Word quickly spread through the IT
security community.
"The discovery of this vulnerability speaks to a larger issue with
single channel authentication protocols," said Dispensa. "While this
vulnerability is larger in scope than many, man-in-the-middle attacks
have been a known threat for some time. Out-of-band protocols should
be considered when possible to help mitigate the risk of these
attacks."
More information is available at http://www.phonefactor.com/sslgap/.
About PhoneFactor
PhoneFactor is an award-winning two-factor authentication service
that uses any phone as a second form of authentication. Its
out-of-band architecture and real-time fraud alerts provide strong
security for enterprise and consumer applications. PhoneFactor is
easy and cost effective to set up and deploy to large numbers of
geographically diverse users. PhoneFactor was recently named to the
Bank Technology News FutureNow list of the top 10 technology
innovators securing the banking industry today. Learn more at
www.phonefactor.com.
Contact
Michelle Metzger
Pierpont Communications, Inc.
Phone: 214.217.7300
Cell: 214.682.7559
Email Contact
SOURCE: PhoneFactor
http://www2.marketwire.com/mw/emailprcntct?id=326E1B54ABC5E024
[ Back To it.tmcnet.com's Homepage ]
|