Banks, tech giants open to web interception attacks

By

Researcher lists insecure websites on 'bad list'.

The websites of eBay, PayPal, Microsoft and possibly Facebook are among scores vulnerable to an almost three-year-old TLS/SSL renegotiation flaw.

Banks, tech giants open to web interception attacks

The flaw allows credentials to be stolen from encrypted data streams.

The vulnerable websites were posted on a list operated by Linux programmer Kai Engert in an effort to highlight that the SSL flaw is still active.

The flaw (CVE-2009-3555) allowed attackers to hijack secure transactions, but with limited access. The attack was demonstrated in 2009 by researcher Anil Kurmus, The Register reported.

However Engert claims the flaw can only be fixed within web servers, not user web browsers, meaning visitors have remained exposed.

“Several major sites, even banking sites, still use a broken server configuration and are likely vulnerable to man-in-the-middle-attacks,” Engert wrote on the blog.

“What happened if a site administrator made a mistake, and accidentally used the wrong configuration? The site would still work, but the attack would work too, and nobody might notice.

“I hereby call the corporations who run those major sites, to increase security on the web, by eliminating these risks by upgrading to software that uses the fixed protocol RFC 5746.”

Engert’s page lists websites vulnerable to the SSL flaw including mobile.paypal.com, checks.bankofamerica.com, storage.adobe.com, shop.oracle.com, and downloadstore.dell.com.

The “arbitrary” list is updated every three hours.

Uses can check whether their browsers support the SSL renegotiation fix at Engert’s website.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Log In

  |  Forgot your password?