Blog: Fixing a Hole in the Web

Fixing a Hole in the Web
Technology Review (01/12/10) Naone, Erica

A fix that the Internet Engineering Task Force recently approved to patch a vulnerability in the protocol that encrypts sensitive Web-based communications and transactions is expected by experts to take a year or more to be fully deployed. The patch fixes the Transport Layer Security (TLS) protocol, which is built into Web browsers and servers and shields critical information, and which has supplanted the Secure Socket Layer protocol. By exploiting the TLS flaw, an attacker can commandeer the first moment of the encrypted conversation between a Web browser and server and insert a command of his own. Exploiting the vulnerability requires the hacker to first carry out a man in the middle attack to capture traffic between the client and the server, and then take advantage of TLS' renegotiation feature. This feature permits a Web server or client to revise some of the parameters of an encrypted session while the session is taking place. Security professional Frank Breedijk says the protocol is patched by a draft fix that effectively produces two versions of TLS--thus keeping the danger of attack alive if either the client or the server fails to install the patch. Apache Software Foundation founding director Ben Laurie says that this double installation requirement makes the fix "unprecedented," so browser makers working to correct the problem will need to make accommodations for a period in which the client will continue communicating with unpatched servers.

View Full Article