Tuesday29 November 2022

Another SSL/TLS stack falls as Microsoft admits their version has a bug in it too

Reading time is around minutes.

Encryption is an interesting thing. On the surface it offers protection from prying eyes and sense of security in protecting your communication and files. At least that is what you should feel when talking about encryption. The problem is that encryption is only as secure as the protocol and API that is in use. Even if you have a rock solid certificate the protocol and APIs that you use to connect can be compromised to by-pass this. This is what has happened to almost every major SSL/TLS stack. So far in 2014 we have watched them fall one at a time to the dismay of security experts.

The timing of these failures is significant in light of the revelations of Edward Snowden and the push to encrypt all traffic on the internet for privacy and security. As more people and devices begin using encryption and SSL/TLS for communication the risk of compromise due to these flaws increases. The question is: are these flaws a mistake or are they some of the flaws that Edward Snowden claims were put in place under pressure of the NSA?

Again we have a massive number of people moving to using encryption due to privacy concerns. Google and other search providers are giving a leg up to sites using SSL, email services are quickly moving to TLS for more secure email relay and phone makers are starting to add encryption to their devices to protect them. According to Snowden the NSA and other government agencies built backdoors and hidden flaws into the most common encryption standards to ensure that they would always be able to get in. The two events are not coincidental as we are seeing flaws that have existed for 10+ years in some cases suddenly get patched without much in the way of an explanation. Why would flaws of this significance not be patched years ago?

What makes this even more suspicious is that all of these flaws are very close in scope. They allow someone else to drop in on your “secure” session and execute code. This gives the attacker quite a bit of flexibility in what they can do to you. They can drop in software to spy on you, or (if they are malicious enough) take full control over your system. How do we find flaw that match up so closely in different secure protocols unless they were intended? Conspiracy theories aside, these flaws are at least being patched by the developers quickly now that they have hit the light of day. Sadly someone has to run the patch to plug the holes before the bad guys get in. With the way we have seen corporations react lately we have a feeling that this one will not be really fixed anytime soon.

Tell us what you think

Last modified on Wednesday, 12 November 2014 14:00

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.