Wednesday, 21 September 2011

Known Vulnerability in SSL/TLS is now a Problem

In case you didn't read it here, or here, there has been a successful exploit for a long known vulnerability in all versions of SSL and TLS 1.0.

Although the vulnerability has been known since the early iterations of SSL, up until now, it was thought to be un-exploitable.

Thanks to the work of Juliano Rizzo and Thai Duong (who previously brought an issue to light with ASP.NET that caused Microsoft to release an 'out-of-band' patch), the vulnerability has been exploited through a web browser.

What does this mean for us, the security practitioners?   It may be time to implement and enforce the use of TLS 1.1 or TLS 1.2 soon.  Attacks against SSL/TLS 1.0 have yet to show up in the wild, but it is only a matter of time.

Still unsure about what SSL/TLS is?   Here's a good reference.

(Note: I didn't like the spin used by the news article entitled "Online banking encryption broken" on the CBC's website about the exploit.  It harkens to fear mongering to me.)

Update: The presentation to be given at the EKOParty security conference will provide all of the details on the exploit.  It may be related to this paper.