Critical SSL Weakness Found


Critical SSL Weakness Found

by Craig Mayhew on Wed 21st Sep 2011 under General
Researchers Thai Duong and Juliano Rizzo claim to have found a weakness in SSL encryption. It allows them to view anything that is encrypted with SSL and therefore supposedly secure. It affects TLS 1.0 and below which is just about every form of SSL currently supported by web servers and browsers. They will demo the exploit at Ekoparty security conference.

So the internet and ecommerce is now broken?

Don't panic - there is a fix - it just hasn't been written yet. TLS 1.1 and TLS 1.2 exist which are not vulnerable to the exploit. However they are not supported by major browsers or web server distributions. I suspect this will rapidly change and support will appear in the next month or so. Also - the exploit is not public and I expect it will be kept a secret for as long as possible.

What to do?

For internet users: Make sure your browser, email client and operating system is bang up-to-date and apply updates immediately as they become available! If your preferred browser is slower than others in getting a fix then temporarily switch to one that does have the fix.

For website owners: If your using SSL at all e.g. ecommerce or email then get onto your hosts once a fix is released and make sure they are going to implement it ASAP. If they are not going to update then move to another host.

For web hosts: Keep your customers informed and hope a fix comes soon!!

I will try to update this post with info on browsers and server software as and when they begin to support TLS 1.1


© 2005-2022 Craig Mayhew