Chris Neary is a producer for On the Media.
Transport Layer (In)Security
Friday, September 23, 2011 - 06:00 AM
This week has been hack week here at On The Media. We've written about the Paleolithic history of hacking: the jargon file and phone phreaking – but to round out the week, it’s time for some up-to-the-minute hacking news.
We spoke with Alan Paller for this week’s show – he’s the director research at SANS Institute. He mentioned during our interview that a weakness had been found in TLS. TLS is the acronym for Transport Layer Security, a protocol that allows you to communicate securely on the internet by encrypting the information being sent.That portion of the interview didn’t make it into the show, but it’s interesting stuff.
Paller sent me a link to a British Tech site, The Register. Here’s their lead from an article about the TLS weakness.
Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser.
So this hack (Alex, am I using that word right?) ((Ed. note = Well, kind of. I’d call it an exploit.- AG)) means that some important transactions, like those between businesses and banks, are vulnerable.
I asked Paller for some context, particularly how worried the average computer user should be.
Why this is a big deal: It’s a big deal because a very large percentage of the important organizations in the world do encrypt the traffic when they work with their employees, when customers order things online. For most business transactions you want them encrypted.
Why this is not a HUGE deal: People shouldn’t be afraid to do online purchases with their credit card, because the way the bad guys get the credit cards is attacking the businesses. This kind of large scale vulnerability announcement happens annually, maybe every year and a half. A whole lot of news gets made and then people fix it.
The hack exploit was carried out by two researchers. What were their motivations for doing this? Paller says it’s a little unclear:
We know that people are searching for fame and to make a difference. Those tend to drive these people. They don’t seem to be searching for fortune. It’s almost like science, they’re searching for how things work, in this field they search for how things can be broken. When they’re acting like good guys their theory is that it is better we find the problem before the bad guys find it.
One last thing: Google says that it has developed an update for Chrome that will help guard against this type of attacks. Time for a browser update?