No matter what type of authentication, from basic to the highly encrypted, or whether organisations use password-based or two-factor authentication, their websites are vulnerable, writes Ben Chai, chief editor of SecurityVibes
Computer Weekly highlighted a serious flaw in the way e-commerce sites implement secure internet access though HTTPS, identified by UK penetration testing company First Base Technologies in April.
The problem has been reported in places such as the Open Web Application Security Project top ten security guide since about 2007.
What is of concern is that two years on, many companies are still unaware of the issue and need to ensure their session cookies are secure. Despite timely warnings from companies such as First Base Technologies, organisations still haven't got it right.
To make matters worse, members of SecurityVibes, a networking site for information security professionals, have reported a potentially more dangerous SSL attack vector using Moxie Marlinspike's attack: sslstrip. Details were presented by Moxie in February 2009 at the BlackHat conference in DC.
This attack can again be mitigated but needs security professionals to be aware of obscure fields in certificates in order to block it.
The lesson learned here is not to assume something is secure just because encryption or SSL is involved. As security professionals, it is impossible for us to keep up to date with every area of security, and it gets worse the higher up the security ladder you go.
For example, chief information security officers need to have skills in management and board-level abilities and still have an idea that attacks exist that could compromise the corporation's e-commerce and SSL VPN sessions.
Peter Woods' complete write up of the SSL attack can be found at the SecurityVibes website.
And a step by step pdf file on how to compromise SSL using Moxie Marlinspike's attack: sslstrip can be found here.