SSL Protocol Flaw Discovered

2009-11-10

Two researchers named Marsh Ray and Steve Dispensa from PhoneFactor, a provider of phone-based two-factor authentication, have come forward stating that they discovered a serious flaw in the SSL protocol. SSL, Secure Sockets Layer, is used to protect sensitive data in online transactions such as; online banking, secure e-mail, database access, among other things.

Marsh Ray, one of the security researchers who discovered the bug, stated "Transport Layer Security is subject to a number of serious man-in-the-middle (MITM) attacks related to renegotiation. In general, these problems allow a MITM to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream, leading to a variety of abuse possibilities."

In a statement, Steve Dispensa, CTO of PhoneFactor, said "Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching. All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products. Most users will eventually need to update any software that uses SSL."

The Register reports that Dispensa and Ray presented their findings under a non-disclosure agreement to a large number of company representatives on September 29 in Mountain View, California, at a company they declined to name.