SOURCE: PhoneFactor

PhoneFactor - Two-Factor Authentication

November 05, 2009 11:01 ET

PhoneFactor Discovers Major Vulnerability in SSL Authentication

Marsh Ray and Steve Dispensa Discover a Gap in SSL Authentication That Makes It Vulnerable to Man-in-the-Middle Attacks

OVERLAND PARK, KS--(Marketwire - November 5, 2009) - PhoneFactor, a leading global provider of two-factor security services, today announced that Marsh Ray and Steve Dispensa of PhoneFactor discovered a serious vulnerability in SSL, the most common data security protocol on the Internet. The SSL Authentication Gap allows an attacker to mount a man-in-the-middle attack, and affects the majority of SSL-protected servers on the Internet. Specifically, the vulnerability allows the attacker to inject himself into the authenticated SSL communications path and execute commands. Furthermore, both the web server and the web browser generally have no idea their session has been hijacked.

The vulnerability results from a weakness in the SSL protocol standard (formally known as Transport Layer Security, or TLS). As such, most SSL implementations are vulnerable in one way or another. Affected scenarios include web surfers doing online banking, back-office systems using web services-based protocols, and non-HTTP applications such as some mail servers, database servers, and so on.

"Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching," said Steve Dispensa, CTO of PhoneFactor. "All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products. Most users will eventually need to update any software that uses SSL."

To address the issue, the PhoneFactor team organized a working group of affected vendors, together with representatives from the appropriate standards committees. The group reached a consensus on how to address the underlying issue with the SSL Standard and patch the SSL libraries and also created a set of recommended methods for mitigating the vulnerability.

News of the vulnerability broke when a member of an IETF working group independently discovered the issue and posted it to an IETF mailing list on November 4th. Word quickly spread through the IT security community.

"The discovery of this vulnerability speaks to a larger issue with single channel authentication protocols," said Dispensa. "While this vulnerability is larger in scope than many, man-in-the-middle attacks have been a known threat for some time. Out-of-band protocols should be considered when possible to help mitigate the risk of these attacks."

More information is available at

About PhoneFactor

PhoneFactor is an award-winning two-factor authentication service that uses any phone as a second form of authentication. Its out-of-band architecture and real-time fraud alerts provide strong security for enterprise and consumer applications. PhoneFactor is easy and cost effective to set up and deploy to large numbers of geographically diverse users. PhoneFactor was recently named to the Bank Technology News FutureNow list of the top 10 technology innovators securing the banking industry today. Learn more at

Contact Information

  • Contact

    Michelle Metzger
    Pierpont Communications, Inc.
    Phone: 214.217.7300
    Cell: 214.682.7559
    Email Contact