Technology Review - Published By MIT

Technology Review in U.S. | en Español | auf Deutsch | in Italiano | 中文 | in India

Fixing a Hole in the Web

Continued from page 1

Tuesday, January 12, 2010

E-mail

Audio »

Print

Favorite

Share »

Frank Breedijk, a security professional at a provider of mission critical outsourcing services called Schuberg Philis, based in the Netherlands, says that Rescorla's draft does fix the protocol, but notes that it effectively creates two versions of TLS. If either the client or the server haven't yet installed the fix, he says, the attack is still possible. "TLS/SSL clients and servers are omnipresent," he says. "It's not just browsers and Web servers. Mobile phones, wireless access points, DECT phones, home security systems, and so on, all have the technology in them."

"If you believe that you need SSL at all, then you need this fixed," says Ben Laurie, a founding director of the Apache Software Foundation and an OpenSSL developer.

That may be easier said than done, however.

Ray and Dispensa disclosed the flaw to affected vendors in late September, and Laurie says it's been "no big deal" to write software that fixes it. What's tricky, he says, is getting the patch installed everywhere it needs to be. The fix is "unprecedented," Laurie says, because no one is fully protected until both the client and the server have installed the patch. As a result, browser makers working to fix the problem have to allow for a period when the client will continue to communicate with unpatched and possibly vulnerable servers.

"You can't have the clients say, 'Evil old server, can't connect to that,' because that would break the whole world," Laurie says. This means that a second patch will have to be applied to clients later, when experts determine that enough servers have been patched.

The process of getting out all the patches is complex enough that Joe Salowey, TLS working group cochair and a technical leader at Cisco Systems, believes it will be a year or more before the fix will be fully in place.

Tags

encryption Internet protocols Internet Security patches SSL

Related Articles

»

Computing with Secrets, but Keeping them Safe
06/11/2010
»

Several IE Flaws Could Add Up to a Big Problem
02/12/2010
»

Security in the Ether
12/21/2009

Comments

I am Liwen Zhang

I am Liwen zhang ,the following message is in Chinese language.

????????????

???
2010-01-12 20:24:13

??????,????????????Jxx?Wxx??????,?????????????????,????????
2010???????,???????????????????????????????????????????,??
?????Bosch??????????????????,??????????????,????Bosch??
????????????????,?Bosch?????????????????????????,?????????????
?????????,?????????????????

?????,????????,????????,?????????????,???????????????
?????????????????????????,?????????????????,?????????
??????????????????????????????,???????????????????
(
?????,?????????,???????????????????«???·???»???:??????????,?

???,??????,?????????,????????????????????????,???????????,??

????????
)
????????????,??????????????????,???????????????????
????????,????????,????????????????,????????,???????
??????????????????????????,???????,??????????????????

???2008???????,???????,????????????,??????????????
?????????,???????????,????????????????????
????????,???????????,??????,?????????,?????????;?????
??????,??????????????????,????????????,????????????????
?????????????????????,?????????????????

????????????Bosch?????????,????????????,??Bosch???????????
????????,Bosch?????????,?????????????????????????,Bosch??
???????????????,????????????????????????????,????????
????????????????,??????,?????????????,??????,?????????
??????????,???????????????????????????????,??????????
??????,??????,????????????????????,???,??????????????
??????????,???????????????????????????????????,?????????
??????,??????????????????????????????

???????CEO???????????,????????????,???????,????????
?????????,???????????,??????????????,??????????????????,
???????????????????????????

?2010-01-12 20:24:13?????????,?????????????,??24????,???????????
???????????????,???????????????????,?????????????????
?????,???????????,?????????,???????????

?2010-01-12 20:24:13?????????,24???,???????????????????????,
????????????

Rate this comment:

gearss
01/12/2010
Posts:15

Avg Rating:

Use SSL instead of TLS?

Does SSL have this flaw? Should I use SSL instead?

Rate this comment:

robert.hargr...
01/12/2010
Posts:33

Avg Rating:

Re: Use SSL instead of TLS?

Hi there,

TLS has replaced SSL--SSL is an older version of the same thing, though people often still call it SSL.

Rate this comment:

Erica Naone
01/12/2010
Posts:51

Avg Rating:

Computing

New Languages, and Why We Need Them » Get the newsletter »

Web

A Smoother Street View » Get the newsletter »

Communications

TR10: Social TV » Get the newsletter »

Energy

A Boost for Battery Life and Capacity » Get the newsletter »

Materials

Building Super-Fast Electronics Components » Get the newsletter »

Biomedicine

Speeding Up Diagnosis of Infectious Disease » Get the newsletter »

Business

Commercial Spaceflight, We Have a Problem » Get the newsletter »

Today's Stories

Sign Up now for the Technology Review Daily Newsletter » Follow Technology Review on Twitter »

Videos

Now Playing:
Car Chargers Get Smart
[Full Story] [Larger Video]

Latest Videos

Car Chargers Get Smart

Log In

Forgot your password?

Top Stories Of The Day

Most Read

Most Commented

Wikipedia to Add Meaning to Its Pages

Breathing New Life into Old Lungs

Passwords that are Simple--and Safe

How HTML5 Will Shake Up the Web

Technology Overview: Designing for Mobility

RSS Feeds

TR Top Stories		TR Editors' Blog
TR Audio		TR Video

Subscribe to Technology Review's e-mail update. Enter your e-mail address

Massachusetts Institute of Technology

© 2010 Technology Review. All Rights Reserved.