New SSL attack can steal data from secure sites

By siliconindia   |   Wednesday, 25 November 2009, 22:01 IST   |    5 Comments
Printer Print Email Email
Bangalore: A Seattle based computer security consultant says he has developed a new way to exploit a recently disclosed bug in the Secure Sockets Layer (SSL) protocol, used to secure communications on the internet. The attack, while difficult to execute, could help attackers to inflict very powerful phishing attacks. Frank Heidt, Chief Executive of security engineering consultancy Leviathan Security Group, says his "generic" proof-of-concept code could be used to attack a variety of websites. While the attack is extremely difficult to pull off - the hacker would first have to first pull off a man-in-the-middle attack, running code that compromises the victim's network - it could have devastating consequences, reports InfoWorld. The attack exploits the SSL Authentication Gap bug, first disclosed on November 5. One of the SSL bug's discoverers, Marsh Ray at two-factor authentication provider PhoneFactor, says he has seen a demonstration of Heidt's attack, and he is convinced it could work. "He did show it to me and it's the real deal," Ray said. The SSL Authentication flaw gives the attacker a way to change data being sent to the SSL server, but there's still no way to read the information coming back. Heidt sends data that causes the SSL server to return a redirect message that then sends the web browser to another page. He then uses that redirect message to move the victim to an insecure connection where the web pages can be rewritten by Heidt's computer before they are sent to the victim. "Heidt has shown a way to leverage this blind plain text injection attack into a complete compromise of the connection between the browser and the secure site," Ray said. A consortium of internet firms has been working to fix the flaw since the PhoneFactor developers first uncovered it several months ago. Their work gained new urgency when the bug was inadvertently disclosed on a discussion list. Security experts have been debating the severity of this latest SSL flaw since it became public knowledge.