SSL flaw fixing shows industry can work together

Hackers and corporates co-operate.

The speed at which problems with the Secure Socket Layer (SSL) system have been fixed shows that the industry is more accepting of independent security research, according to one of the researchers who discovered the flaw.

Dan Kaminsky said that the industry's reaction was impressive, and could provide a template for future interaction.

"Maybe for the first time vendors got together and fixed the problem nicely, " said Kaminsky, a security consultant at IOActive. "That's so different from their handling of every other kind of cryptographic vulnerability."

Part of the reason could be the importance of SSL to the computer community, and the shock of seeing an imminent hack. Kaminsky doubted that the flaw is being used at the moment, but warned that it could not be ruled out.

The hack could allow an attacker to run a 'man in the middle' routine to get past the SSL security procedures. The attacker would have to gain access to a target's servers first, but this is not difficult, according to Kaminsky.

Fellow researcher Moxie Marlinspike also showed how SSL could be subverted by installing a 'null' value in a bogus certificate to allow code injection. Kaminsky admitted that this attack was even more sophisticated than his.

Mozilla has already fixed the problem, and Microsoft said that it is close to a solution. VeriSign, meanwhile, is confident that its certificates are safe.

"The stuff Dan [Kaminsky] has been doing is kicking away at the infrastructure of the internet," said Jeff Moss, founder of the Black Hat and Defcon conventions, and currently a member of the US Homeland Security Department's advisory council.

"After the Domain Name System and SSL, I don't know what's left. It's one of the very few times when we've seen an attack coming and been able to stop it."