The speed at which problems with the Secure Socket Layer (SSL) system have been fixed shows that the industry is more accepting of independent security research, according to one of the researchers who discovered the flaw.Dan Kaminsky said that the industry's reaction was impressive, and could provide a template for future interaction."Maybe for the first time vendors got together and fixed the problem nicely, " said Kaminsky, a security consultant at IOActive. "That's so different from their handling of every other kind of cryptographic vulnerability."Part of the reason could be the importance of SSL to the computer community, and the shock of seeing an imminent hack. Kaminsky doubted that the flaw is being used at the moment, but warned that it could not be ruled out.The hack could allow an attacker to run a 'man in the middle' routine to get past the SSL security procedures. The attacker would have to gain access to a target's servers first, but this is not difficult, according to Kaminsky.Fellow researcher Moxie Marlinspike also showed how SSL could be subverted by installing a 'null' value in a bogus certificate to allow code injection. Kaminsky admitted that this attack was even more sophisticated than his.Mozilla has already fixed the problem, and Microsoft said that it is close to a solution. VeriSign, meanwhile, is confident that its certificates are safe."The stuff Dan [Kaminsky] has been doing is kicking away at the infrastructure of the internet," said Jeff Moss, founder of the Black Hat and Defcon conventions, and currently a member of the US Homeland Security Department's advisory council."After the Domain Name System and SSL, I don't know what's left. It's one of the very few times when we've seen an attack coming and been able to stop it."
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.