Secure Browsing Ain’t So Secure, After All

Engineers have discovered a major flaw in a technology that many Web developers use to ensure secure browsing, reports InfoWorld.


SSL, or Secure Sockets Layer communications, are used in any Web service whose address begins with “https://,” and includes giants like PayPal, Gmail, and Chase online banking. The protocol, an instruction-set that computers use when transferring data, allows hackers to intercept communications by posing as a “man in the middle” between a host server and its client. It could be used to hack into everything from email servers to secure online applications, says InfoWorld.

The fix will take time, since each piece of software that uses SSL will need to be hand-tuned to close the loophole. Everything from Web browsers and servers to SQL databases will need patching.

The hole was discovered by PhoneFactor, a mobile phone security company. They had planned to engineer a fix for the problem along with an industry consortium, but were beaten to the punch when an SAP engineer stumbled upon the bug himself. Not aware of the seriousness of the flaw, he posted it on a messageboard, making the hole widely available before security and IT professionals could scramble to patch their code.

InfoWorld says a “number of open source products” are working towards a fix.CD