TLS security protocol for online banking, Facebook has 'serious weaknesses,' researchers say

Feb 03, 2013

The protocol that provides security for online banking, credit card data and Facebook has major weaknesses, according to researchers at Royal Holloway University.

The Transport Layer Security (TLS) protocol is used by millions of people on a daily basis. It provides security for online banking, as well as for credit card data when shopping on the Internet. In addition, many email systems in the workplace use it, as well as a number of big companies including and Google.

Professor Kenny Paterson from the Information Group at Royal Holloway and PhD student Nadhem AlFardan found that a so-called 'Man-in-the Middle' attack can be launched against TLS and that sensitive personal data can be intercepted in this way. They have identified a flaw in the way in which the protocol terminates TLS sessions. This leaks a small amount of information to the , who can use it to gradually build up a complete picture of the data being sent.

Professor Paterson said: "While these attacks do not pose a significant threat to ordinary users in its current form, attacks only get better with time. Given TLS's extremely widespread use, it is crucial to tackle this issue now.

"Luckily we have discovered a number of countermeasures that can be used. We have been working with a number of companies and organisations, including , and OpenSSL, to test their systems against attack and put the appropriate defences in place."

Explore further: Computer-assisted accelerator design

Related Stories

Patch for flaw in key Internet protocol

Jan 15, 2010

(PhysOrg.com) -- A flaw was found in November in a key Internet protocol that encrypts most sensitive online transactions and communications, including credit card and banking transactions. A patch has now ...

CRIME attack is shown to decrypt HTTPS web sessions

Sep 14, 2012

(Phys.org)—The fun of acronyms is reflected in coming up with CRIME, which stands for Compression Ratio Info-leak Made Easy. What it translates into, though, is not much fun. Two security researchers have ...

Improving the security of Internet exchanges

Mar 20, 2009

(PhysOrg.com) -- TLS is the main protocol used today to secure exchanges over the Internet. The protocol has been subject to attacks in recent years, resulting in identity theft and data tampering. To address these problems, ...

Sony, Epsilon execs to testify

Jun 02, 2011

(AP) -- Executives from Sony and online marketing firm Epsilon will go before lawmakers on Thursday to try to explain recent data breaches at their companies that have exposed email addresses, credit card numbers and other ...

Android apps are full of potential leaks, finds study

Oct 22, 2012

(Phys.org)—Many Android apps are capable of falling victim to Man in the Middle (MITM) attacks. How many? Far too many. Thousands of apps in the Google Play mobile market present vulnerabilities because ...

Expert gives tips on safeguarding against data theft

Apr 11, 2011

Nick Feamster, assistant professor at Georgia Tech's College of Computing and researcher at the Georgia Tech Information Security Center offers his expertise on the Epsilon data breach and what users and custodians can do ...

Recommended for you

Computer-assisted accelerator design

Apr 22, 2014

Stephen Brooks uses his own custom software tool to fire electron beams into a virtual model of proposed accelerator designs for eRHIC. The goal: Keep the cost down and be sure the beams will circulate in ...

First steps towards "Experimental Literature 2.0"

Apr 21, 2014

As part of a student's thesis, the Laboratory of Digital Humanities at EPFL has developed an application that aims at rearranging literary works by changing their chapter order. "The human simulation" a saga ...

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

DavidW
1 / 5 (1) Feb 04, 2013
TLS does little to stop trojans and the like, the real issue with online security. But hey, that's what insurance is for.

More news stories

Robot scouts rooms people can't enter

(Phys.org) —Firefighters, police officers and military personnel are often required to enter rooms with little information about what dangers might lie behind the door. A group of engineering students at ...

Finalists named in Bloomberg European city contest

Amsterdam wants to create an online game to get unemployed young people engaged in finding jobs across Europe. Schaerbeek, Belgium, envisions using geothermal mapping to give households personalized rundowns of steps to save ...

Internet TV case: US justices skeptical, concerned

Grappling with fast-changing technology, U.S. Supreme Court justices debated Tuesday whether they can protect the copyrights of TV broadcasters to the shows they send out without strangling innovations in ...

Brazil passes trailblazing Internet privacy law

Brazil's Congress on Tuesday passed comprehensive legislation on Internet privacy in what some have likened to a web-user's bill of rights, after stunning revelations its own president was targeted by US ...

In the 'slime jungle' height matters

(Phys.org) —In communities of microbes, akin to 'slime jungles', cells evolve not just to grow faster than their rivals but also to push themselves to the surface of colonies where they gain the best access ...