PhoneFactor Team Discovers Vulnerability in SSL Authentication
Earlier this week, PhoneFactor released the details of a serious vulnerability in SSL/TLS authentication, which was discovered by PhoneFactor team members Marsh Ray and Steve Dispensa in August 2009. The SSL authentication gap allows for a standard man-in-the-middle attack in which an attacker is able to inject malicious data and commands into the authenticated SSL communications path.
For the past few months, PhoneFactor been working closely with a group of affected vendors and the relevant standards committees on mitigation strategies. News of the vulnerability broke when a member of an IETF working group independently discovered the issue and posted it to an IETF mailing list on November 4th. Word quickly spread through the IT security community.
PhoneFactor set up a resource center at http://www.phonefactor.com/sslgap/ with the latest news and information about the ssl/tls vulnerability and available patches.
Leave a Reply