According to recent news reports, a 19-year old vulnerability that enabled attackers to decrypt encrypted data and sign communications sites’ secret encryption keys has returned. The vulnerability was disclosed back in 1998 in the TLS predecessor known as secure sockets layer. A recent study found that 27 of the 100 most-visited websites—including Facebook and PayPal—are vulnerable to what is essentially the same attack. About 2.8 percent of the top 1 million sites also tested positive. According to the researchers, it was hiding in plain sight. Amit Sethi, Principal Consultant at Synopsys commented below.
Amit Sethi, Principal Consultant at Synopsys:
We see these types of issues regularly when assessing software that attempts to hide error conditions. For example, the server’s actual response may be the same regardless of whether an error occurred, but the amount of time that the server takes to respond may be noticeably different when errors occur.
This attack illustrates why security issues are often difficult to find and mitigate properly. Even subtle information leakage can lead to significant problems.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.