SOURCE: PhoneFactor

PhoneFactor

August 19, 2010 12:08 ET

PhoneFactor Declares Case Closed on SSL/TLS Authentication Vulnerability

Microsoft Patches Signal the Successful End to a Year Long Project to Address a Major Vulnerability in the SSL Protocol

OVERLAND PARK, KS--(Marketwire - August 19, 2010) -  PhoneFactor, Inc., the leading global provider of phone-based multi-factor authentication services, declares victory on the SSL/TLS authentication project. With Microsoft's release last week of patches for all supported versions of Windows, the SSL/TLS vulnerability has been addressed by all major vendors without any know exploits having taken place.

The SSL/TLS vulnerability was discovered by PhoneFactor team member Marsh Ray one year ago this week. The SSL authentication gap allows an attacker to mount a man-in-the-middle attack by injecting malicious data and commands into the authenticated SSL communications path. The vulnerability resulted from a weakness in the SSL protocol standard (formally known as Transport Layer Security, or TLS). As such, most SSL implementations were vulnerable in one way or another.

"It is not every day that a discovery is as far reaching as the one found by PhoneFactor, a problem that is not vendor-specific but built-in, industry-wide, and universally relevant," said Dan Geer, Chief Information Security Officer for In-Q-Tel.

While Ray and PhoneFactor CTO Steve Dispensa were working privately with an industry consortium to address the issue, news of the vulnerability broke in November 2009 when a member of an IETF working group independently discovered the issue. Word quickly spread through the IT security community. A working exploit against Twitter was published just days after the vulnerability became public. Microsoft rated the severity of the vulnerability as "important," the second-highest classification on its four-tier scale.

"There is all but no precedent for what to do right in such situations. In my opinion, PhoneFactor should be commended for its handling of the problem," said Geer.

One year later, a new SSL protocol (RFC 5746) is in place. Initial fixes that disabled the offending SSL/TLS renegotiation process have since been replaced with secure implementations of renegotiation from Microsoft, OpenSLL, and Oracle's Java. A comprehensive list of vendor patches is available at http://www.phonefactor.com/sslgap/ssl-tls-authentication-patches. Most importantly, the issue was largely resolved before any large-scale attacks surfaced.

"At a time when vendors are often criticized for slow responses to seemingly small but severe defects, the industry has proven it can work together to fix a very challenging bug in an interoperable protocol in record time," said Marsh Ray. "I think now is a good a time as any to claim victory."

About PhoneFactor
PhoneFactor is a leading provider of multi-factor authentication. The company's award-winning service uses any phone as a second form of authentication. PhoneFactor's out-of-band architecture and real-time fraud alerts provide strong security for enterprise and consumer applications. It's easy and cost effective to set up and deploy to large numbers of geographically diverse users. PhoneFactor was recently named to the Bank Technology News FutureNow list of the top 10 technology innovators securing the banking industry today and a finalist in 2010 SC Magazine Reader Trust Awards. Learn more at www.phonefactor.com.

Contact Information