SSL Vulnerabilities Found in Critical Non-Browser Software Packages
October 26th, 2012Via: Threat Post:
The death knell for SSL is getting louder.
Researchers at the University of Texas at Austin and Stanford University have discovered that poorly designed APIs used in SSL implementations are to blame for vulnerabilities in many critical non-browser software packages.
Serious security vulnerabilities were found in programs such as Amazon’s EC2 Java library, Amazon’s and PayPal’s merchant SDKs, Trillian and AIM instant messaging software, popular integrated shopping cart software packages, Chase mobile banking software, and several Android applications and libraries. SSL connections from these programs and many others are vulnerable to a man in the middle attack.
“This is exactly the attack that SSL is intended to protect against,” according to the research paper “The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software.“ It does not involve compromised or malicious certificate authorities, nor forged certificates, nor compromised private keys of legitimate servers. The only class of vulnerabilities we exploit are logic errors in client-side SSL certificate validation.”
