ad info
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards





Hole in Internet security discovered

June 30, 1998
Web posted at: 2:05 PM EDT

by Brian McWilliams

(IDG) -- A computer scientist at Bell Labs has found a flaw in the Secure Sockets Layer, the encryption protocol used by many Web sites to secure transactions such as purchases and the exchange of sensitive information. Daniel Bleichenbacher said on Friday that in February he discovered an obscure way to guess the key used to encrypt an SSL transaction. The attack involves flooding a Web server with specially designed messages and then analyzing the error messages that come back.

  PC World home page
  FileWorld find free software fast
  Make your PC work harder with these tips
 Reviews & in-depth info at's desktop PC page's portable PC page's Windows software page's personal news page
  Questions about computers? Let's editors help you
  Search in 12 languages
 News Radio
  PC World News Radio
  Computerworld Minute audio news for managers

While it's only a theoretical attack and hasn't been tested in the real world, Bleichenbacher's discovery has sent Web security software firms scrambling to develop patches. But Bleichenbacher says there's no need for Internet users to be alarmed.

"I don't think that consumers have to be ... concerned about this attack," says Bleichenbacher. "The attack must send about 1 million messages to a server, and the server will of course notice that there is something wrong ... and create error [messages]."

So many error messages, says security expert Simson Garfinkel, that the logs of the server under attack could balloon to 300MB, potentially causing a hard-disk crash. The result would be a form of denial of service attack.

Garfinkel confirms that browser users face no privacy or security threats from the new hole. "For a consumer there's basically no risk," he says. "This is an attack that is very difficult to mount and leaves very obvious traces. And furthermore it's an attack that can be fixed -- it's not a fundamental flaw in the protocol."

Indeed, RSA Data Security, the company that developed a technology on which SSL is based, announced on Friday that it is working with a group of leading Internet-software vendors on preemptive countermeasures for thwarting such attacks.

Microsoft and Netscape Communications also reassured users of their Web browsers that no changes are necessary on the client side of an SSL connection.

Related stories:
Latest Headlines

Today on CNN

Related stories:

Note: Pages will open in a new browser window Related sites:

Note: Pages will open in a new browser window

External sites are not
endorsed by CNN Interactive.

CNN Programs

  • Earth Matters
        Sunday 1:30pm - 2:00pm ET (10:30am - 11:00am PT)
  • Science & Technology Week
        Saturday 1:30pm - 2:00pm ET (10:30am - 11:00am PT)
    Enter keyword(s)   go    help


    Back to the top
    © 2000 Cable News Network. All Rights Reserved.
    Terms under which this service is provided to you.
    Read our privacy guidelines.