Tuesday, January 6, 2009

E-Commerce Not Safe in Web Browser Followup

SSL Crisis Averted -- For Now - DarkReading
Last Friday,  I posted about a "serious vulnerability" within ALL web browsers and " that a "key piece of of Internet technology that banks, e-commerce sites,  and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability.

(see my post "
E-Commerce and Browsers Don't Mix)

Yesterday, Dark Reading said the SSL crisis has been "possibly" (there's no way of knowing)  averted...for now anyway.  (as a die-hard Cub fan, I cannot resist the temptation to add the famous "Wait til next year" mantra. Wait...since last week, this week IS next year...)

Anyway, here's a portion of that article.  To read it in it's entirety, click the link at the bottom of this post...


SSL Crisis Averted -- For Now

VeriSign quickly fixes vulnerable SSL digital certificates at risk of newly revealed hack, but experts say there's no way to know for sure if phony certificates exist from previous attacks 

Jan 05, 2009 | 02:55 PM
By Kelly Jackson Higgins - DarkReading

It took VeriSign only four hours to close a hole that had left customers of some of its digital certificates vulnerable to a new attack revealed by researchers just before the new year. White-hat hackers exploited a known weakness in the algorithm in some digital certificates that allowed them to impersonate secure Websites.

While the attack was considered deadly due to its transparency and ability to mimic a secure Website, the good news is that it was isolated to only a minority of digital certificates that use the older and less secure MD5 algorithm. According to Netcraft, about 15 percent of all digital certificates in December were signed with MD5.  (Editor's Note:  The bad news is that 15 percent of all digital certificates were signed with MD5)

The researchers demonstrated at the 25th Chaos Communication Congress in Berlin last week how they were able to purchase a legitimate certificate from RapidSSL, which is part of VeriSign, and then forge a phony trusted certificate authority.

Story continued at Dark Reading
  (but before you go...here's an additional snippet)

End of (threat) story? Not exactly. Although researcher Alexander Sotirov admits it's unlikely the attack has been performed before, he and other researchers say there's still no way to know for sure: "Even though it's unlikely, the theory behind our attack has been published since 2007, and it is possible that somebody else has been able to implement it. In this case, any one of the certificates issued by RapidSSL since 2007 could have been malicious, but there is no way to detect which one," he says.





Reblog this post [with Zemanta]

Disqus for ePayment News