ad info

CNN.com
 MAIN PAGE
 WORLD
 ASIANOW
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
 TECHNOLOGY
   computing
   personal technology
   space
 NATURE
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 HEALTH
 STYLE
 IN-DEPTH

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

  CNN WEB SITES:
CNN Websites
 TIME INC. SITES:
 MORE SERVICES:
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines
 pointcast
 pagenet

 DISCUSSION:
 message boards
 chat
 feedback

 SITE GUIDES:
 help
 contents
 search

 FASTER ACCESS:
 europe
 japan

 WEB SERVICES:
Computing

From...

Hole in Internet security discovered

June 30, 1998
Web posted at: 2:05 PM EDT

by Brian McWilliams

(IDG) -- A computer scientist at Bell Labs has found a flaw in the Secure Sockets Layer, the encryption protocol used by many Web sites to secure transactions such as purchases and the exchange of sensitive information. Daniel Bleichenbacher said on Friday that in February he discovered an obscure way to guess the key used to encrypt an SSL transaction. The attack involves flooding a Web server with specially designed messages and then analyzing the error messages that come back.

 MORE COMPUTING INTELLIGENCE
  IDG.net home page
  PC World home page
  FileWorld find free software fast
  Make your PC work harder with these tips
 Reviews & in-depth info at IDG.net
    IDG.net's desktop PC page
  IDG.net's portable PC page
  IDG.net's Windows software page
  IDG.net's personal news page
  Questions about computers? Let IDG.net's editors help you
  Search IDG.net in 12 languages
 News Radio
  PC World News Radio
  Computerworld Minute audio news for managers
   

While it's only a theoretical attack and hasn't been tested in the real world, Bleichenbacher's discovery has sent Web security software firms scrambling to develop patches. But Bleichenbacher says there's no need for Internet users to be alarmed.

"I don't think that consumers have to be ... concerned about this attack," says Bleichenbacher. "The attack must send about 1 million messages to a server, and the server will of course notice that there is something wrong ... and create error [messages]."

So many error messages, says security expert Simson Garfinkel, that the logs of the server under attack could balloon to 300MB, potentially causing a hard-disk crash. The result would be a form of denial of service attack.

Garfinkel confirms that browser users face no privacy or security threats from the new hole. "For a consumer there's basically no risk," he says. "This is an attack that is very difficult to mount and leaves very obvious traces. And furthermore it's an attack that can be fixed -- it's not a fundamental flaw in the protocol."

Indeed, RSA Data Security, the company that developed a technology on which SSL is based, announced on Friday that it is working with a group of leading Internet-software vendors on preemptive countermeasures for thwarting such attacks.

Microsoft and Netscape Communications also reassured users of their Web browsers that no changes are necessary on the client side of an SSL connection.

Related stories:
Latest Headlines

Today on CNN

Related IDG.net stories:

Note: Pages will open in a new browser window Related sites:

Note: Pages will open in a new browser window

External sites are not
endorsed by CNN Interactive.


CNN Programs

  • Earth Matters
        Sunday 1:30pm - 2:00pm ET (10:30am - 11:00am PT)
  • Science & Technology Week
        Saturday 1:30pm - 2:00pm ET (10:30am - 11:00am PT)
    SEARCH CNN.com
    Enter keyword(s)   go    help

  •   
     

    Back to the top
    © 2000 Cable News Network. All Rights Reserved.
    Terms under which this service is provided to you.
    Read our privacy guidelines.