Fix Proposed for TLS Flaw

January 14, 2010

According to an article in Technology Review, the Internet Engineering Task Force [IETF] has approved a proposed modification to the standard for the Transport Layer Security [TLS] protocol, which addresses a serious security vulnerability.  (TLS is the  protocol that, among other things, is used to give a secure connection between your browser and a Web site, often indicated by the little padlock icon, like the one at the right.  An earlier version was called Secure Socket Layer [SSL]. )

This fix is a little different from most of the ones that we talk about here, because it is not a program bug (that is, a failure of the program to conform to its specification), but a defect in the protocol specification itself.  The protocol, in its original version, is vulnerable to a “man-in-the-middle” attack, in which the attacker hijacks a just-established TLS connection under the guise of renegotiating the session’s parameters.  The original version of TLS does not adequately verify that the party that requests renegotiation is one of the original party to the transaction.

Getting this fix deployed is going to require a significant effort, and a significant amount of time.  The TLS protocol is extensively used, not just in Web browsers, but in many other places:

It’s not just browsers and Web servers. Mobile phones, wireless access points, DECT phones, home security systems, and so on, all have the technology in them.

The implementation plan will have to allow for a transition period in which some, but not all, TLS applications are updated, to avoid breaking large portions of the Web.

As a result, browser makers working to fix the problem have to allow for a period when the client will continue to communicate with unpatched and possibly vulnerable servers.

Hopefully the update can be accomplished without too much dislocation.

%d bloggers like this: