12/27/2009 4:39:00 PM
by Avri Schneider
Researchers have uncovered a flaw in the Transport Layer Security (TLS) protocol, allowing attackers to inject arbitrary text into an encrypted session. In some cases, this attack enables an attacker to completely compromise the secured connection by either performing an arbitrary action on behalf of the user, or stealing their credentials for later use.
Organizations, Banks and governments count on TLS/SSL to securely authenticate their users, clients and citizens. A flaw such as this puts the whole world at risk. TLS/SSL being susceptible to a man-in-the-middle attack is serious business. It's whole point was enabling two parties to exchange messages without the ability of an intercepting third party to see and/or manipulate any of the traffic, as well as authenticating each message as originating from the claimed sender. There is currently no patch or hot-fix that will not potentially break existing configurations and nothing but upgrading the technology used by everyone today will protect governments, organizations and users from this attack.
More information can be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
