Patch for flaw in key Internet protocol

Jan 15, 2010 by Lin Edwards report
Map of Internet Enlarge
Internet map as of 16th January. Image: Internet Mapping Project, Bell Labs/Lumeta Corporation

(PhysOrg.com) -- A flaw was found in November in a key Internet protocol that encrypts most sensitive online transactions and communications, including credit card and banking transactions. A patch has now been developed by the Internet Engineering Task Force (IETF), but it may take some time to be fully implemented.

The flaw is in the Transport Layer Security (TLS) protocol, which is the IETF term for the Secure Socket Layer (SSL) protocol. SSL/TLS is built into Web servers and browsers to protect sensitive information. The flaw was found by Steve Dispensa and Marsh Ray of an authentication company in Kansas called Phone Factor, and allows an attacker to hijack and insert commands into the start of the encrypted conversation between a web browser and the web server.

The flaw exploits a feature of TLS that allows a to change some parameters of an encrypted session while the session is in progress. This has serious implications, as demonstrated on by one researcher. who demonstrated it could be used to order the server to reveal the victim's password. It could also potentially be used to draw money out of a victim's bank account.

One of the authors of the draft security extension for the protocol, Eric Rescorla, said the flaw in TLS shows how difficult it is to design security protocols to protect communications on the Internet. The flaw could not be exploited without considerable technical knowledge on the part of the attacker, but it is still significant because servers and clients are open to attack even if they have implemented the protocol perfectly.

The IETF has not published its official Request for Comments (RFC) document for the security extension, which is to be known as the TLS renegotiation indication extension, but Ray say the fix is stable and several groups and vendors are working on implementing it.

Deployment of the fix for commercial products that include SSL/TLS will take time because much interoperability testing will be required before vendors can ship it, and it affects a large range of products. As a workaround, most vendors have simply turned off TLS renegotiation, which does not appear to have caused many problems. Some devices, such as printers and webcams will probably never be patched because they are rarely handling critical information that would make a "man-in-the-middle" attack such as this worth worrying about.

Explore further: States scramble to attract suddenly hot cybersecurity firms

More information: Internet Engineering Task Force: www.ietf.org/

add to favorites email to friend print save as pdf podcast

Related Stories

Improving the security of Internet exchanges

Mar 20, 2009

(PhysOrg.com) -- TLS is the main protocol used today to secure exchanges over the Internet. The protocol has been subject to attacks in recent years, resulting in identity theft and data tampering. To address these problems, ...

Automated analysis of security-sensitive protocols

Oct 25, 2005

The sheer number and variety of security protocols for Internet applications under development makes it difficult to be sure that any one protocol is 100 per cent secure from attack. Now an automated tool can systematically ...

Recommended for you

Kim Dotcom slams Megaupload 'data massacre'

10 hours ago

Megaupload founder Kim Dotcom Thursday condemned a Dutch company's decision to delete million of files belonging to users of his defunct website, calling it "the largest data massacre in the history of the ...

States scramble to attract suddenly hot cybersecurity firms

19 hours ago

As data dragnets and information breaches dominate the news, states are scrambling to cash in on a rapidly expanding business sector by offering tax incentives to firms that protect sensitive information from outside attacks.

A year on, Assange stays put in Ecuadorean Embassy

Jun 19, 2013

A year ago, Julian Assange skipped out on a date with Swedish justice. Rather than comply with a British order that he go to the Scandinavian country for questioning about sex crimes allegations, the WikiLeaks ...

Google asks US secret court to lift gag order (Update)

Jun 18, 2013

Google on Tuesday sharply challenged the U.S. government's gag order on its Internet surveillance program, citing what it described as a constitutional free speech right to divulge how many requests it receives ...

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

tkjtkj
3 / 5 (2) Jan 15, 2010
we note that the Diffie-Hellman algorithm also suffers from a risk of a MITM attack, and even though it was fixed with the newer 'Authenticated DH', its STILL not widely implimented/disseminated!!!!
So, how many years will this lil project require!?
tkjtkj@gmail.com
PinkElephant
not rated yet Jan 15, 2010
As a workaround, most vendors have simply turned off TLS renegotiation, which does not appear to have caused many problems.


Stupid question #68: so why the hell does this feature even exist, if it adds complexity, presents a security risk, yet nobody really uses it for anything worthwhile?

Just get rid of the thing, instead of trying to fix it!
Rynox77
not rated yet Jan 15, 2010
Pink... you are correct that any element of complexity inherently adds a security risk. My guess, not knowing all the details, is this is some old feature that is used for backwards compatibility.
PinkElephant
not rated yet Jan 15, 2010
@Rynox77,

I'd buy the "backwards compatibility" argument, if they didn't state in the article that the feature has been disabled without any major disruption for customers.

Besides, even if there was a backward compatibility concern, for such things there's at least the concept of "deprecation": assert that the feature will go away 5 years from now, so all new devices will omit it while old devices will be retired/replaced by then...

Frankly, in this case it smells to me more like an over-engineered system than anything else. To which my response is always: KISS

More news stories

AP buys stake in live video service Bambuser

The Associated Press said Thursday that it has bought a minority stake in the live video service Bambuser, boosting its ability to acquire and distribute video collected by people who have witnessed news events.

Sony chief says time needed to study proposal

Sony Corp. needs more time to study a key proposal from a U.S. hedge fund to spin off a part of its entertainment unit as a way to propel its fledgling revival, the chief executive told shareholders Thursday.

Panic over MERS virus fades in Saudi

People in Saudi Arabia's Eastern Province have again started greeting friends with the traditional kiss on the cheek, and face masks in public are becoming rarer, as panic subsides over the outbreak of a deadly respiratory ...

S.Korean airlines ban shark fin as cargo

South Korea's two largest airlines, Korean Air and Asiana, said Thursday they had both decided to ban shark fin from their cargo flights as part of a growing global campaign against the Asian delicacy.

UNESCO warns Syrian heritage sites endangered

UNESCO on Thursday added six ancient sites in Syria including a fortress of Saladin and a Crusader castle to the endangered World Heritage list, warning that more than two years of civil war had inflicted ...

Philippines financial capital bans plastic bags

The Philippines financial capital banned disposable plastic shopping bags and styrofoam food containers on Thursday, as part of escalating efforts across the nation's capital to curb rubbish that exacerbates ...

Singapore haze at worst yet, Malaysia schools shut

Singapore urged people to remain indoors amid unprecedented levels of air pollution Thursday as a smoky haze wrought by forest fires in neighboring Indonesia worsened dramatically. Nearby Malaysia closed ...