Thursday, November 5, 2009

Critical Flaw in SSL Found, Software Makers Scrambling for Band-Aid!



As previously reported in this blog, SSL cannot be trusted to secure financial transaction data.  Bottom line?  You need hardware to do that.  Here's a sampling of reports gathered from the various news organizations on the discovery that if you trust SSL (or EV-SSL) to ensure a secure financial environment...you are SOL.


SSL Hole Cracks Open Secured Web Traffic
PC World



A critical new flaw in SSL, or the Secure Sockets Layer used to protect Web traffic for online banking, shopping, and any other https connection, allows an attacker to break into any theoretically secured connection and add malicious commands.





Scramble on to fix flaw in SSL security protocol - Computer World



Software makers around the world
are scrambling to fix a serious bug in the technology used to transfer information securely on the Internet.

The flaw lies in the Secure Sockets Layer (SSL) protocol, which is best known as the technology used for secure browsing on Web sites whose URLs begin with HTTPS. The bug lets attackers intercept secure SSL communications between computers using what's known as a man-in-the-middle attack. - IDG News Service





Major SSL Flaw Find Prompts Protocol Update - Dark Reading

SSL has been under siege over the past year, with the groundbreaking man-in-the-middle hack by researcher Moxie Marlinspike, which dupes a user into thinking he's in an HTTPS session when in reality he has been taken elsewhere by the attacker, as well as Kaminsky's research exposing critical flaws in X.509 certificate technology used in SSL.



But this latest threat lies within the SSL protocol itself, and will require fixes to Browsers, Web servers, database servers, mail servers, SQL servers, smart cards, and other SSL-based software.

"All the [SSL] attacks I've seen [recently] have been around the client or server software, or the way it handles a certificate," Ray says. "What's different with this [bug] is that both the client and server need to be patched to restore the full security guarantees that are expected with TLS."





Editor's Note:  I know that sometimes I must sound like Chicken Little with all my ranting about how dangerous the web is to conduct financial transactions. 



I don't mean to sound that way.  The sky isn't falling. 



You know what is?  Consumer confidence in online banking and online shopping.  


HomeATM can restore that confidence with the safest and most secure way to authenticate oneself for an online banking session. 



We provide banks with a device that replicates an ATM transaction.  "Swipe your card, Enter your PIN."  Safe enough to dispense cash in the middle of the night?  Safe enough to authenticate the online banking customer.   Works for online shopping too.  Replicates the exact same experience consumers have used at brick and mortar locations for decades.  Swipe their card in a point of sale terminal. (and enter PIN if applicable) 



Meanwhile, the online shopper and the Online Banking customer's data NEVER enters the browser...data is encrypted "inside the box" and the encrypted data is sent using the Internet as a conduit. 









Reblog this post [with Zemanta]

Disqus for ePayment News