RSA Data Security, reacting to news today that a researcher at Lucent’s Bell Labs discovered a software flaw that undermines the Secure Sockets Layer (SSL) protocol, is working with leading Internet software vendors on preemptive patches designed to address the vulnerability.
RSA said the countermeasures, which are aimed at enhancing the security of popular server software products based on SSL, are currently available on the sites of C2Net Software, Consensus Development Corporation, IBM, Lotus, Microsoft, Netscape, and Open Market.
Each company is expected to post configuration guidelines, software updates, and additional information to thwart the flaw that affects interactive key establishment protocols using the Public Key Cryptography Standard (PKCS) #1, including SSL.
As reported on InternetNews.com earlier today, Daniel Bleichenbacher, a researcher at Lucent Technologies Inc.’s Bell Labs, discovered a vulnerability that could allow someone to discover the key for an encrypted session by repeatedly sending around one million specially designed messages to a target server, and then detect the server’s response.
In an interview on CNBC today that may help ease the fears of those investing in electronic commerce-related stocks, Bleichenbacher played down the gravity of the situation saying that such an attack could take days to mount and can be detected by the server.
“It’s really not a big deal and I think the product just becomes better after the fix,” he said. “It’s actually possible to fix it on the server side only, so customers that use a Web browser can use the same Web browser again, they don’t have to download anything new.”
RSA noted that the vulnerability does not affect the Secure Electronic Transactions (SET) and Secure Multipurpose Internet Mail Extension (S/MIME) secure messaging protocols because they either feature mechanisms that already address the flaw or are not susceptible.
CERT has also issued a technical advisory on the vulnerability and patches for installed SSL-based server software are available at the RSA Labs site.
In a statement released today, RSA said it also plans to provide those developers using its BSAFE security suite with free software upgrades this summer aimed at eliminating the new threat.
