Wednesday 21 September 2011

Known Vulnerability in SSL/TLS is now a Problem

In case you didn't read it here, or here, there has been a successful exploit for a long known vulnerability in all versions of SSL and TLS 1.0.

Although the vulnerability has been known since the early iterations of SSL, up until now, it was thought to be un-exploitable.

Thanks to the work of Juliano Rizzo and Thai Duong (who previously brought an issue to light with ASP.NET that caused Microsoft to release an 'out-of-band' patch), the vulnerability has been exploited through a web browser.

What does this mean for us, the security practitioners?   It may be time to implement and enforce the use of TLS 1.1 or TLS 1.2 soon.  Attacks against SSL/TLS 1.0 have yet to show up in the wild, but it is only a matter of time.

Still unsure about what SSL/TLS is?   Here's a good reference.

(Note: I didn't like the spin used by the news article entitled "Online banking encryption broken" on the CBC's website about the exploit.  It harkens to fear mongering to me.)

Update: The presentation to be given at the EKOParty security conference will provide all of the details on the exploit.  It may be related to this paper.


  1. thanks just what I needed to hear :-)

  2. Sorry to be the bearer of bad news.   My next post will be even worse for you then.

  3. [...] on this article, I started thinking about how the fallout from the SSL/TLS vulnerability may affect [...]

  4. [...] has released a security advisory relating to the SSL/TLS vulnerability previously discussed.   Included in the advisory are a workaround and a tool that can implement a [...]

  5. [...] been doing quite a bit of research into the BEAST (Browser Exploit Against SSL/TLS) vulnerability that security [...]