The Internet Engineering Task Force (IETF) has completed a security extension to the Secure Sockets Layer (SSL) protocol that fixes a flaw affecting browsers, servers, smart cards, and VPN products, as well as many lower-profile devices, such as Webcams, that contain the protocol embedded in their firmware.
Members of the IETF, the Industry Consortium for the Advancement of Security on the Internet, and several vendors, including Google, Microsoft, and PhoneFactor, have been working on a fix since October for the bug, which is basically a gap in the authentication process that lets an attacker execute a man-in-the-middle (MITM) attack and inject his own text into the encrypted SSL connection. The gap occurs in the renegotiation process of the session, when some applications require the encryption process be refreshed at a certain point.

Marsh Ray, a senior software development engineer for PhoneFactor who first discovered the SSL bug in August, says the IETF's extension to SSL, which is the Transport Layer Security (TLS) protocol in IETF parlance, secures the renegotiation process.

"This is a short extension to the handshake protocol of TLS," Ray says. "Some identifiers from the previous session are carried over to the handshake in the subsequent session."

The link for this article located at Dark Reading is no longer available.