Share what you know with millions of people
Focus is the best place to turn what you know into remarkable content
Should we be concerned that SSL has been hacked?
Recently, a research group hacked SSL, albeit version 1.0, which is a later version. There are some other hinderances in the method they've used but they've exposed SSL vulnerabilities to the world now. Ref: http://www.readwriteweb.com/archives/breaking_the_internet_researchers_successfully_hac.php
excerpt...
Researchers Thai Duong and Julinao Rizzo essentially slipped a Trojan Horse into the SSL communication between the server and the client that decrypts the information, according to The Register. Instead of cracking or forging digital certificates, as has been seen with the recent DigiNotar controversy, the SSL hack goes straight to the heart of how it works.
What are the implications of this event? Should we be worried? What should the software development community do now, if anything?
Best Answer
- Recommended by:
- Nipun Jethi
Of course we should be concerned about any reported breaking of a security technology, especially on the is widely used. What we need now is an analysis of the threat and some metrics on how to gauge the risks in specific environments. There is a strong likelihood of costly over-reaction without such an analysis. Specifically, it is too early to initiate urgent mass migration to newer TLS versions or different technologies.
At the same time, if current implementations are locked-into a specific version of the TLS standard and cannot be readily upgraded... shame on the designers and implementers. Good security practices always allow for the ability to incorporate new/improved risk mitgations without breaking the code or the bank.
Events
- Dos and Don'ts of Small Business Marketing May 29 @ 11 am PT
- Lead Nurturing 202: The Next Generation May 31 @ 11 am PT
- The Tricks to Paid Media June 6 @ 11 am PT
- Display Advertising for Brand Awareness June 20 @ 11 am PT
Related Activity
Actually, it was version 1.0 of TLS (which is higher than 1.0 of SSL) that has theoretically been compromised.
Yes, there should be some concern if other researchers are able to verify this attack, and although this doesn't impact TLS v1.1 or v1.2, those are virtually unused.
Changing to a new version of SSL/TLS will be a complicated affair, because it's not just desktop PCs and Servers that will need to be updated. We will need to update a variety of mobile devices, some of which are old and not updated anymore. And, we *might* need to change a variety of certificates.
It remains to be seen how non-trivial of an attack this can be, and in all likelihood, very few changes will be made until someone suffers a breach that can be attributed to this attack vector.
-ASB: http://XeeMe.com/AndrewBaker