Skip to main content

Known Vulnerability in SSL/TLS is now a Problem

In case you didn't read it here, or here, there has been a successful exploit for a long known vulnerability in all versions of SSL and TLS 1.0.

Although the vulnerability has been known since the early iterations of SSL, up until now, it was thought to be un-exploitable.

Thanks to the work of Juliano Rizzo and Thai Duong (who previously brought an issue to light with ASP.NET that caused Microsoft to release an 'out-of-band' patch), the vulnerability has been exploited through a web browser.

What does this mean for us, the security practitioners?   It may be time to implement and enforce the use of TLS 1.1 or TLS 1.2 soon.  Attacks against SSL/TLS 1.0 have yet to show up in the wild, but it is only a matter of time.

Still unsure about what SSL/TLS is?   Here's a good reference.

(Note: I didn't like the spin used by the news article entitled "Online banking encryption broken" on the CBC's website about the exploit.  It harkens to fear mongering to me.)

Update: The presentation to be given at the EKOParty security conference will provide all of the details on the exploit.  It may be related to this paper.
Labels:

Comments

  1. Keith Brooks21 September 2011 at 04:21

    thanks just what I needed to hear :-)

    ReplyDelete
  2. John Lawren James21 September 2011 at 05:25

    Sorry to be the bearer of bad news.   My next post will be even worse for you then.

    ReplyDelete
  3. IBM Lotus Domino and the SSL/TLS known vulnerability | Wildunknown21 September 2011 at 05:58

    [...] on this article, I started thinking about how the fallout from the SSL/TLS vulnerability may affect [...]

    ReplyDelete
  4. Microsoft Releases a TLS 1.1 Fix Tool for Windows | Wildunknown27 September 2011 at 13:24

    [...] has released a security advisory relating to the SSL/TLS vulnerability previously discussed.   Included in the advisory are a workaround and a tool that can implement a [...]

    ReplyDelete
  5. How To: Mitigate the SSL/TLS Vulnerability for Lotus Domino | Wildunknown27 September 2011 at 18:46

    [...] been doing quite a bit of research into the BEAST (Browser Exploit Against SSL/TLS) vulnerability that security [...]

    ReplyDelete

Post a Comment

Popular posts from this blog

Fun Little Earthquake

It's 1:45pm EST in Ottawa, Ontario, Canada. We just had an earthquake.  Not strong enough to damage anything, but enough that I watched people run out of buildings. What a fun Wednesday.
24 comments
Read more

Error 217 - Error creating product object on Domino 64 bit

I'd like to share something with you.   An error that you'll get if you are trying to use ODBC with Domino 8.5.1 64bit. It starts out with an agent error of Error 217.  The text of the error is "Error creating product object" You can read about it here on the Notes/Domino forum . You can find the solution here as well . I guess I'm now waiting for Domino 8.5.2 for a solution for this.   It would have been nice to have had this in the release notes.  It would have help me greatly.
5 comments
Read more

Lotus Trading Cards

I was painting the house last night, and my mind got to wandering... Bruce Elgort mentioned on Twitter last night that he was thinking of a VC fund for Lotus projects. So my mind wandered about that, and turned to how we present ourselves. I got to thinking that business cards are so ... old school. I think we need Trading Cards. So, here are the first few I've come up with.
12 comments
Read more