No matter what type of authentication, from basic to the
highly encrypted, or whether organisations use password-based or
two-factor authentication, their websites are vulnerable,writes Ben Chai, chief editor ofSecurityVibes
Computer Weekly highlighted a serious flaw in the way
e-commerce sites implement secure internet access though HTTPS,
identified by UK penetration testing company First Base
Technologies in April.
The problem has been reported in places such as the
Open Web Application Security
Project top ten security guide since about 2007.
What is of concern is that two years on, many companies are
still unaware of the issue and need to ensure their session cookies
are secure. Despite timely warnings from companies such as First
Base Technologies, organisations still haven't got it right.
To make matters worse, members of
SecurityVibes,
a networking site for information security professionals, have
reported a potentially more dangerous SSL attack vector using
Moxie Marlinspike's attack: sslstrip. Details were presented by
Moxie in February 2009 at the BlackHat conference in DC.
This attack can again be mitigated but needs security
professionals to be aware of obscure fields in certificates in
order to block it.
The lesson learned here is not to assume something is secure
just because encryption or SSL is involved. As security
professionals, it is impossible for us to keep up to date with
every area of security, and it gets worse the higher up the
security ladder you go.
For example, chief information security officers need to have
skills in management and board-level abilities and still have an
idea that attacks exist that could compromise the corporation's
e-commerce and SSL VPN sessions.
Peter Woods' complete write up of the SSL attack can be found at
the
SecurityVibes website.
And a step by step pdf file on how to compromise SSL using Moxie
Marlinspike's attack: sslstrip can be found
here.