 |
| CNN WEB SITES: |
|
| TIME INC. SITES: |
| MORE SERVICES: |
| video on demand |
| video archive |
| audio on demand |
| news email services |
| free email accounts |
| desktop headlines |
| pointcast |
| pagenet |
| DISCUSSION: |
| message boards |
| chat |
| feedback |
| SITE GUIDES: |
| help |
| contents |
| search |
| FASTER ACCESS: |
| europe |
| japan |
| WEB SERVICES: |
From...
Hole in Internet security discovered
June 30, 1998
Web posted at: 2:05 PM EDT
by Brian McWilliams
(IDG) -- A computer scientist at Bell Labs has found a flaw in the Secure Sockets Layer, the encryption protocol used by many Web sites to secure transactions such as purchases and the exchange of sensitive information. Daniel Bleichenbacher said on Friday that in February he discovered an obscure way to guess the key used to encrypt an SSL transaction. The attack involves flooding a Web server with specially designed messages and then analyzing the error messages that come back.
| MORE COMPUTING INTELLIGENCE | ||
|---|---|---|
|
IDG.net home page | |
| PC World home page | ||
| FileWorld find free software fast | ||
| Make your PC work harder with these tips | ||
| Reviews & in-depth info at IDG.net | ||
|
IDG.net's desktop PC page | |
| IDG.net's portable PC page | ||
| IDG.net's Windows software page | ||
| IDG.net's personal news page | ||
| Questions about computers? Let IDG.net's editors help you | ||
|
Search IDG.net in 12 languages | ||
| News Radio | ||
|
PC World News Radio | |
|
|
Computerworld Minute audio news for managers | |
While it's only a theoretical attack and hasn't been tested in the real world, Bleichenbacher's discovery has sent Web security software firms scrambling to develop patches. But Bleichenbacher says there's no need for Internet users to be alarmed.
"I don't think that consumers have to be ... concerned about this attack," says Bleichenbacher. "The attack must send about 1 million messages to a server, and the server will of course notice that there is something wrong ... and create error [messages]."
So many error messages, says security expert Simson Garfinkel, that the logs of the server under attack could balloon to 300MB, potentially causing a hard-disk crash. The result would be a form of denial of service attack.
Garfinkel confirms that browser users face no privacy or security threats from the new hole. "For a consumer there's basically no risk," he says. "This is an attack that is very difficult to mount and leaves very obvious traces. And furthermore it's an attack that can be fixed -- it's not a fundamental flaw in the protocol."
Indeed, RSA Data Security, the company that developed a technology on which SSL is based, announced on Friday that it is working with a group of leading Internet-software vendors on preemptive countermeasures for thwarting such attacks.
Microsoft and Netscape Communications also
reassured users of their Web browsers that no changes
are necessary on the client side of an SSL connection.
CNN Programs
Sunday 1:30pm - 2:00pm ET (10:30am - 11:00am PT)
Saturday 1:30pm - 2:00pm ET (10:30am - 11:00am PT)