More on SSL is SOL (i.e.) Forget about Secure Financial Transactions Conducted on a Browser!

Here's some more on the recently discovered/secretly addressed/accidentally exposed critical flaw in SSL which is what the online banking community relies on for security. Translation: There is no security when financial transactions are done on the web. From NetSecurity.org:

Marsh Ray and Steve Dispensa of PhoneFactor discovered a serious vulnerability in SSL, the most common data security protocol on the Internet for online banking. The SSL Authentication Gap allows an attacker to mount a man-in-the-middle attack, and affects the majority of SSL-protected servers on the Internet.

Specifically, the vulnerability allows the attacker to inject himself into the authenticated SSL communications path and execute commands. Furthermore, both the web server and the web browser generally have no idea their session has been hijacked.

Editor's Note: I've been posting for well over 18 months now that the Web is NOT SAFE for financial transactions. I wrote several months back that SSL was flawed. Extended Validation SSL is also flawed.

It seems that the online financial community is "stuck on band-aids" to stave-off threats. Why not do it right? Triple DES DUKPT encryption done "outside the browser" will eliminate all the threats that live "inside the browser." As I said last year...it will get a lot worse before it gets better.

Attacks on SSL have made banks worried, Our patented technology takes trust to a whole new level and allows banks to set up secure links directly to the card reader itself, bypassing existing threats and risks completely. We envision that it will dramatically cut down internet crime and allow banks to do much more with their online banking customers.

The vulnerability results from a weakness in the SSL protocol standard (formally known as Transport Layer Security, or TLS). As such, most SSL implementations are vulnerable in one way or another. Affected scenarios include web surfers doing online banking.

“Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching,” said Steve Dispensa, CTO of PhoneFactor. “All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products. Most users will eventually need to update any software that uses SSL.”

Here's come the band-aids!

Related articles by Zemanta

• Vendors scramble to fix serious bug in Net's security (infoworld.com)
• Critical Flaw in SSL Found, Software Makers Scrambling for Band-Aid! (pindebit.blogspot.com)
• Typing Mostly Misunderstood (pindebit.blogspot.com)

• Browser Flaws Nullify EV SSL
  Researchers uncover flaw in handling of EV SSL by popular browsers

• Consumers DO WANT Security over Convenience...How About Both? (pindebit.blogspot.com)
• Quote of the Day: Inside the Browser is Perfect Place for Criminals to Be... (pindebit.blogspot.com)
• Man-In-the-Middle Vulnerability For SSL and TLS (it.slashdot.org)
• More holes found in Web's SSL security protocol (macworld.com)

99% of "SSL Secure" Websites Are Not