Posted on 02/20/2003 5:43:51 AM PST by HAL9000
Swiss researchers pirate the principal system of safety Internet
Researchers of federal polytechnic Ecole of Lausanne (FPSL, Switzerland) found a fault in the most widespread system of securisation of the transactions by Internet, the SSL (Secure Socket Layer), famous up to now inviolable, announced Thursday EPFL.Ces researchers showed that it was possible to recognize in less than one hour the password used by a Net surfer to connect itself to a commercial service of sale or on its bank account in ligne."Nous are the first to have discovered this weakness of protocol SSL, the process of securisation most usually used for the transactions via Internet ", declared in an official statement Serge Vaudenay Laboratory of safety and cryptography of EPFL.Il specified that the school had transmitted the result of its research to the people charged to update the SSL and that the new version of the system (0.9.7a) protects from now on from this type of attaque."Concrètement, explains Mr. Vaudenay, we developed a program which enabled us to intercept the password of a person using a software of communication made safe by SSL ". The scientists then connected themselves to the software while being made pass for the user. They could thus have read its malls or to carry out financial transactions in its nom.Secure Socket Layer (SSL) can result in protected layer of Socket. Socket is an Anglicism indicating an interface making it possible to make communicate the software between them. The SSL is thus a protocol which protects this interface from any use pirate.Un waiter made safe by SSL has an address starting with https://, the S meaning secured (protected). Program SSL is transparent for the user who thus does not receive any indication that the confidentiality of the exchanges was compromise.Les researchers of FPSL imagined an attack which functions when the encryption algorithm used is of type CBC and that the pirate is in the vicinity of the waiter of transport.
Someone with a small Linux server probably doesn't need to worry about it too much, but large financial institutions cannot afford that luxury.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.