The need for email archiving
Without an effective system for archiving emails, organisations can find themselves unable to recover vital business records, leaving them open..
TLS, SSL, HTTPS, Encryption
A zero-day flaw in the TLS and SSL protocols, which are commonly used to encrypt web pages, has been made public.
Security researchers Marsh Ray and Steve Dispensa unveiled the TLS (Transport Layer Security) flaw on Wednesday, following the disclosure of separate, but similar, security findings. TLS and its predecessor, SSL (Secure Sockets Layer), are typically used by online retailers and banks to provide security for web transactions.
Ray, who along with Dispensa works for two-factor authentication company PhoneFactor, explained in a blog post on Thursday that he had initially discovered the flaw in August, and demonstrated a working exploit to Dispensa at the beginning of September.
The flaw in the TLS authentication process allows an outsider to hijack a legitimate user's browser session and successfully impersonate the user, the researchers said in a technical paper.
The fault lies in an "authentication gap" in TLS, Ray and Dispensa said. During the cryptographic authentication process, in which a series of electronic handshakes take place between the client and server, there is a loss of continuity in the authentication of the server to the client. This gives an attacker an opening to hijack the data stream, they said.
In addition, the flaw allows practical man-in-the-middle attacks against hypertext transfer protocol secure (Https) servers, the researchers said. Https is the secure combination of http and TLS used in most online financial transactions.
The flaw will prove a problem for a long time to come, security researcher Chris Paget wrote in a blog post, as it also affects SSL.
"How about the thousands of different software update mechanisms out there that depend on SSL being secure in order to function?" wrote Paget. "This is a protocol-level breach; one that requires a modification to the way that SSL and TLS function in order to repair."
After they found the flaw, Ray and Dispensa disclosed their findings to the Industry Consortium for the Advancement of Security on the Internet (Icasi), a tech association that consists of Cisco, IBM, Intel, Juniper Networks, Microsoft and Nokia. The researchers also alerted the Internet Engineering Task Force (IETF) and a number of open-source SSL implementation projects.
On 29 September, the various groups involved met and decided to set up a project, called Project Mogul, to handle remediation efforts. It will first concentrate on creating a protocol extension as a preliminary solution. Ray said in his blog that he expected to see announcements from the multi-vendor collaboration "shortly", including an internet draft proposal for the fix.
At the September meeting, Ray and Dispensa were informed about research being done by the IETF TLS Channel Bindings working group, which was following a similar line of inquiry into the TLS protocol.
On Wednesday, Martin Rex, a member of the IETF TLS Channel Bindings working group and researcher at SAP, published a man-in-the-middle TLS renegotiation flaw in Microsoft IIS. The flaw, which is essentially the same as the one discovered by Ray, was publicised on Twitter by security researcher HD Moore.
Ray and Dispensa decided on Wednesday that the flaw was in the public domain, and so decided on full disclosure of their work.
In order to post a comment you need to be registered and logged in
Log in or create your ZDNet UK account below
By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ
Oracle signs Solaris deals with HP and Dell: Find the answers in the Community FAQ free shipping wholesale product... http://bit.ly/cDUyaj
39 minutes ago on Twitter by KC616free shipping wholesale products: Read more »h handbags,NIKE shoes, jewelry, watches, and jacket and so on. We gua... http://bit.ly/cWcW1e
39 minutes ago on Twitter by KC616Cyberwar defence plan is essential, says former CIA head: Michael Hayden, former head of the CIA and the National ... http://bit.ly/beLpKQ
1 hour ago on Twitter by SpyScrollSAP leads businesses into augmented reality http://bit.ly/9eMWYp | #Droid #Android
1 hour ago on Twitter by Droid_Newsfree shipping wholesale products: We mainly supply top mirror quality brand name products, such as wholesale handb... http://bit.ly/cWcW1e
1 hour ago on Twitter by wholesalegurruCyberwar defence plan is essential, says former CIA head: Michael Hayden, former head of the CIA and the N... http://bit.ly/9sn6ax #pdln4nx
1 hour ago on Twitter by CNSInstructorOracle signs Solaris deals with HP and Dell http://bit.ly/9KVeqD
2 hours ago on Twitter by AllAboutFashionSAP leads businesses into augmented reality http://bit.ly/9eMWYp | #Droid #Android
2 hours ago on Twitter by Droid_PhoneTalkTalk to sell mobile services via Vodafone deal http://bit.ly/bLVfxI | #Droid #Android
2 hours ago on Twitter by Droid_PhoneOracle signs Solaris deals with HP and Dell: Find the answers in the Community FAQ free shipping wholesale product... http://bit.ly/cDUyaj
2 hours ago on Twitter by wholesalegurrufree shipping wholesale products: Read more »h handbags,NIKE shoes, jewelry, watches, and jacket and so on. We gua... http://bit.ly/cWcW1e
2 hours ago on Twitter by wholesalegurruDoJ joins whistleblower in Oracle fraud suit http://bit.ly/bMT3SJ
2 hours ago on Twitter by felixsprisciUpdate: free shipping wholesale products - ZDNet UK (... http://www.actahandbags.com/trends/free-shipping-wholesale-products-zdnet-uk-blog/
2 hours ago on Twitter by actatrudyfree shipping wholesale products: Read more »h handbags,NIKE shoes, jewelry, watches, and jacket and so on. We gua... http://bit.ly/bRvFgG
2 hours ago on Twitter by lisabarnes001free shipping wholesale products: Read more »h handbags,NIKE shoes, jewelry, watches, and jacket and so on. We gua... http://bit.ly/9CXYG9
2 hours ago on Twitter by mensapparel2010free shipping wholesale products: Read more »h handbags,NIKE shoes, jewelry, watches, and jacket and so on. We gua... http://bit.ly/alnVOR
2 hours ago on Twitter by womensapparel20free shipping wholesale products: Read more »h handbags,NIKE shoes, jewelry, watches, and jacket and so on. We gua... http://bit.ly/cWcW1e
2 hours ago on Twitter by SharonFashionSecurity guru demonstrates ATM machine hack http://bit.ly/augzs1
2 hours ago on Twitter by ProtegoSSUK deems Google Wi-Fi data snatch safe: (Sign In or register below) Google moves to show YouTube has 'a very credi... http://bit.ly/9vHweP
2 hours ago on Twitter by kompasstechWithout an effective system for archiving emails, organisations can find themselves unable to recover vital business records, leaving them open..
This study was conducted in the United States amoung IT decision makers with involvement in data centre purchases at companies..
'Infrastructure as a Service' gives enterprises the flexibility to subscribe to the compute power and storage they require today with 'pay..