Net security software exposed

From: rizwan (s2reahme@hotmail.nospam.com)
Date: 02/20/03 

From: "rizwan" <s2reahme@hotmail.nospam.com>
Date: Thu, 20 Feb 2003 10:54:02 -0800

http://news.bbc.co.uk/2/hi/technology/2785145.stm

Net security software exposed
The most commonly used security system to protect passwords over the
internet has been cracked by researchers at one of Switzerland's top
technology universities.
A team at the Federal Institute for Technology in Lausanne said they had
been able to decipher a password in less than an hour.

"It is the first time we have noticed a security problem in the SSL protocol
itself and not in how we use it or how we implement it," Professor Serge
Vaudenay, director of the institute's security and cryptography lab, told
the BBC.

But the researchers say the loophole does not apply to credit card
transactions, as banks and e-commerce sites use a different type of SSL
(Secure Sockets Layer) technology.

Webmail exposed

Up until now, SSL technology had been thought to be completely secure.

We intercepted a connection, replaced it with a fake one and looked at the
behaviour of the server
Professor Serge Vaudenay
Websites protected by SSL systems are marked by an internet address which
begins with "https://." On most browsers, a small lock and key icon will
appear at the bottom of the browser to show it is a secure connection.
It is widely used across the web by webmail and e-commerce sites to protect
customer information and transactions.

SSL works by encrypting a password or credit card number, using a secret
code to scramble the information so that if anyone intercepts it, they will
not be able to read it.

Various types of algorithms are used in SSL technology to encrypt
information.

The type of SSL protocol hacked by the scientists was one used for webmail,
rather than for banking or credit card payments.

"We intercepted a connection, replaced it with a fake one and looked at the
behaviour of the server," Prof Vaudenay told the BBC.

He explained that the team were able to gain a small amount of information
as the computer and the server talked to each other.

"We got a small bit of information about the password each time and after
160 attempts we were able to reconstruct it."

Encrypted data

But Prof Vaudenay said the loophole did not present a serious security
problem as it relied on the password being frequently sent to a server.

I would be surprised if this was a threat to consumers purchasing online
RSA spokeswoman
"The e-mail application regularly sends authentication to the server, like
log in name and password of the user, without bothering the user," he
explained.
In contrast, a password is usually only typed in once for most e-commerce
transactions.

Security experts said people should not be concerned about giving their
credit card details on sites using SSL.

"I would be surprised if this was a threat to consumers purchasing online,"
said a spokeswoman for net security consultants RSA.

"SSL protocols use a 1,024 encryption and all traffic is encrypted with that
key."

The Swiss researchers said they had passed on their findings to SSL's
developers, who have closed the loophole in the latest version of the
software.

Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/2785145.stm

Published: 2003/02/20 17:48:20

© BBC MMIII

Relevant Pages