Vulnerabilities in the Media -- who to trust?

    Date01 Apr 2003
    3124
    Posted ByAnthony Pell
    It seems that there are more sources of information about Security problems every day. The hardest part about trying to keep up with it all is to figure out who to trust. Let's take a recent example. . . It seems that there are more sources of information about Security problems every day. The hardest part about trying to keep up with it all is to figure out who to trust. Let's take a recent example.

    Back in mid February, 2003, scientists at a Swiss university were able to exploit a weakness in an SSL implementation to allow them to discover the password being repeatedly sent in many SSL-wrapped IMAP sessions.

    The Facts

    • This only affected the OpenSSL implementation of SSL
    • The vulnerability relied on a timing attack - the SSL server would not perform all it's number crunching if it found that the data had been tampered with. By tampering with the inbound data in a careful manner, they were able to determine how 'valid' it was by measuring the time it took for the server to complain.
    • Any malicious hacker, in order to perform this kind of attack, would need to be able to rewrite packets as they were transmitted, man-in-the-middle fashion. One could not sit passively and listen to perform this attack.
    • The data to be decoded needs to be in a predictable location, and sent frequently enough times that they can discover the plaintext.
    • Each time they try to attack an SSL session, the client and server will notice the error. You'd not successfully get your email while you were being attacked, and you'd probably stop trying after a while, or ask the administrator to check things out. by their

    The Hype

    Shortly after the announcement, every website with a readership of three or more seemed to be saying that SSL had been broken -- the end of the Internet was near -- all your passwords are belong to us. In the huge noise some amazingly erroneous statements were made:

    • "Hackers can read all your data now"

      No, they can only try to manipulate your transmissions to decode a particular section of it. This sensitive info needs to be in a predictable place each time.

    • "The attack only affects webmail"

      ...

    You are not authorised to post comments.

    LinuxSecurity Poll

    Do you reuse passwords across multiple accounts?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    13
    radio
    [{"id":"55","title":"Yes","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"56","title":"No","votes":"0","type":"x","order":"2","pct":0,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.