Browser developers scramble to fix major security flaw in SSL technology

The SSL security problem relates to the way the SSL 3.0+ and TLS+ (transport layer security) operates when an SSL session is renegotiated for any reason, since the flaw appears to allow the insertion of a plain piece of text into the session process.

The unencoded piece of text could be used to trigger a man-in-the-middle hacker attack and, say various sources, this is where the major problem lies.

The possibility of man-in-the-middle attacks being triggered by SSL vulnerabilities was detailed by Peter Wood, an ISACA professional and chief of operations with First Base Technologies at the Infosecurity show back in April of this year.

At the time, Wood said that, under certain circumstances, it is even possible for a hacker to seize control of a supposed secure - and authenticated - IP session just as the user has entered their payment card data and other personal information.

Wood speculated that hackers may already be aware of what is a structural security flaw on the internet, bearing in mind a number of high profile hacks of e-commerce sites that use secure protocols to protect the interests of their customers.

That speculation now appears to have been correct, as Marsh Eay, an authentication software developer with PhoneFactor has posted details of what has been happening in recent weeks on his blog.

According to Ray, a number of interested parties, including members of ICASI and the IETF held a meeting in California at the end of September, at which an agreement on a "tentative solution" to the SSL security flaw was agreed upon and `Project Mogul' - a cross-party development project - has been in progress ever since.

Since then, the project has reportedly been given high importance in the internet software development community, with vendors whose products that use SSL and TLS technology working hard to develop workarounds.

The last few days, however, have seen the plans for Project Mogul being scuppered when a SAP engineer called Martin Rex stumbled across the SSL / TLS flaw all by himself and - apparently unaware of the potential serious nature of the flaw - posted his observations on the public section of the IETF's discussion list.

It was at this stage that PhoneFactor decided to report on the SSL security flaw in the firm's blog, since when newswires have been picked up on the problem.

The software vendor community, meanwhile, continues to develop workarounds and solutions to this potentially very major security problem in SSL.

What’s hot on Infosecurity Magazine?