Security gap found in SSL

Lausanne (pte, Feb 21, 2003 11:53) - A team of security experts at the Security and Cryptography Laboratory (LASEC) at the "Ecole Polytechnique Federal der Lausanne” has discovered weaknesses in the Secure Sockets Layer (SSL) standard security protocol.

The scientists say they were able to decode the information sent between client and server within an hour.

The group under the direction of Serge Vaudenay is the first to prove that the gap, which has been the topic of theoretical discussion for some time, actually exists. To expose it, the researchers monitored the SSL-Server’s behaviour in replying to false packages. By measuring the amount of time taken to reply, the scientists were able to deduce the contents of a package.

The researchers then worked out the password for the secure e-mail connection between the IMAP4 mail server and Outlook Express 6. Someone trying to take advantage of this gap would have to be able to intervene between the SSL server and client, and replace the message that is to be encoded with his own fake message.

LASEC has notified the OpenSSL project of the security risk. The designers have already made the 0.9.7 and 0.9.6i versions available, which they say will close the OpenSSL gap.

The international OpenSSL Project calls itself a "collaborative effort to develop a robust, commercial-grade Open Source toolkit implementing the Secure Sockets Layer and Transport protocols as well as a full-strength general purpose cryptogrphy library managed by a worldwide community of volunteers.” More information on the project can be found under