August 23, 2010
PhoneFactor Successful in Addressing SSL/TLS Authentication Vulnerability
By Vinti Vaid, TMCnet Contributor
PhoneFactor, Inc., a provider of phone-based multi-factor authentication services, announced that it has been successful in handling the SSL/TLS authentication project.
Microsoft (News - Alert) released patches covering all supported versions of Windows last week, making it possible for major vendors to address the issue of the SSL/TLS vulnerability without any problems.
Marsh Ray, PhoneFactor (News - Alert) team member discovered that the SSL authentication gap made it easy for an attacker to launch a “man-in-the-middle” attack by introducing malicious data and commands into the authenticated SSL communications path. The vulnerability cropped up due to a weakness in the SSL protocol standard (formally known as Transport Layer Security, or TLS).
Dan Geer, chief information security officer for In-Q-Tel (News - Alert) stated that the discovery of the vulnerability could have far reaching implications since the problem is not vendor-specific but built-in, and one that could impact the entire industry. Geer added that PhoneFactor should be appreciated for their part in discovering and handling of the issue.
Twitter suffered a working problem just days after the vulnerability became public. Based on the severity of the vulnerability Microsoft rated the issue as "important," and gave it a second-highest classification on its four-tier scale.
A new SSL protocol (RFC 5746) is in place now. While the first fixes that disabled the offending SSL/TLS renegotiation process have since been replaced with secure implementations of renegotiation from Microsoft, OpenSLL, and Oracle's (News - Alert) Java.
Marsh Ray explained that in most instances vendors are often criticized for slow responses to defects, however with the addressing of this vulnerability, what has become apparent is that the industry can work together to fix a challenging bug in an interoperable protocol in record time which definitely amounts to announcing victory.
Vinti Vaid is a contributing editor for TMCnet. To read more of Vinti's articles, please visit her columnist page.
Edited by Erin Harrison