Another bug has recently been found in the Secure Sockets Layer (SSL) 3.0 cryptography protocol which could be exploited to intercept data that’s supposed to be encrypted between computers and servers. This was discovered by three Google security researchers who went on to offer detailed info about how it could be exploited. That info is readily available but far too technical for this medium.
It is important to note that this is NOT a flaw in SSL certificates, their private keys, or their design but in the old SSLv3 protocol. SSL Certificates themselves are not affected and customers with certificates on servers supporting SSL 3.0 do not need to replace them.
The usage of Hotspots, public Wi-Fi, makes this attack a real problem. This type of attack falls into the “Man-in-the-middle” category. Basically, an attacker that controls the network between the computer and server could interfere with the handshake process used to verify which cryptography protocol the server can accept. It does this by using what is referred to as a “protocol downgrade dance”. This “dance” will force computers to use the older SSL 3.0 protocol to protect the data being sent. Attackers can then exploit the bug by carrying out a man-in-the-middle (MITM) attack to decrypt secure HTTP cookies, which in turn could let them steal information or take control of the victim’s online accounts. Remediation steps, by webmasters around the world have already begun but there still remains a lot of work to be done.
What End-Users Need to Do
For end-users accessing websites Symantec recommends:
- Check to see if SSL 3.0 is disabled on your browser (for example, in Internet Explorer it is under Internet Options, Advanced Settings).
- Avoid MITM attacks by making sure “HTTPS” is always on the websites you visit.
- Monitor any notices from the vendors you use regarding recommendations to update software or passwords.
- Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain.
And, as always, if you have any questions, concerns or help, give us a call.