Researchers find Internet Secure Socket Layer (SSL) flaw that allows passwords to be intercepted

AFP via Babelfish translation ^ | February 20, 2003

[HAL9000]

Swiss researchers pirate the principal system of safety Internet

Researchers of federal polytechnic Ecole of Lausanne (FPSL, Switzerland) found a fault in the most widespread system of securisation of the transactions by Internet, the SSL (Secure Socket Layer), famous up to now inviolable, announced Thursday EPFL.Ces researchers showed that it was possible to recognize in less than one hour the password used by a Net surfer to connect itself to a commercial service of sale or on its bank account in ligne."Nous are the first to have discovered this weakness of protocol SSL, the process of securisation most usually used for the transactions via Internet ", declared in an official statement Serge Vaudenay Laboratory of safety and cryptography of EPFL.Il specified that the school had transmitted the result of its research to the people charged to update the SSL and that the new version of the system (0.9.7a) protects from now on from this type of attaque."Concrètement, explains Mr. Vaudenay, we developed a program which enabled us to intercept the password of a person using a software of communication made safe by SSL ". The scientists then connected themselves to the software while being made pass for the user. They could thus have read its malls or to carry out financial transactions in its nom.Secure Socket Layer (SSL) can result in protected layer of Socket. Socket is an Anglicism indicating an interface making it possible to make communicate the software between them. The SSL is thus a protocol which protects this interface from any use pirate.Un waiter made safe by SSL has an address starting with https://, the S meaning secured (protected). Program SSL is transparent for the user who thus does not receive any indication that the confidentiality of the exchanges was compromise.Les researchers of FPSL imagined an attack which functions when the encryption algorithm used is of type CBC and that the pirate is in the vicinity of the waiter of transport.

[HAL9000]

From EPFL.ch -

Password Interception in a SSL/TLS Channel

[bmwcyle]

Good find!

[HAL9000]

OpenSSL.org - Announcement: OpenSSL version 0.9.7a and 0.9.6i released

[js1138]

No wonder it surrenders its data. It's French.

[HAL9000]

No information from the National Infrastructure Protection Center yet - but this is a serious enough problem to expect they will address it soon.

http://www.nipc.gov/

[taxcontrol]

Tempest in a tea pot folks. The technical requirements to sucessfully execute this attack make the exploitation window so narrow as to be impractical.

Don't worry about it.

[HAL9000]

Don't worry about it.

Someone with a small Linux server probably doesn't need to worry about it too much, but large financial institutions cannot afford that luxury.

[taxcontrol]

The threat window is so small and the information required that it is not POSSIBLE to execute the attack over the Internet. Such an attack would require a network one way path of sub 10 milliseconds. Thus only local access would be possible.

Large financial institutions have far more dangerous things to worry about.