SSL-Secured Websites Aren’t as Secure as We’d Like to Believe

We often hear of websites turning to Secure Socket Layer (SSL) encryption to protect their information from hackers. However, it seems that by having the SSL encryption, websites are putting themselves at risk for a different type of attack. Instead of having their data open to interception by hackers, the SSL comes with a vulnerability that allows the hacker to temporarily bring down the website entirely.

Unlike a denial-of-service (DoS) attack, which requires an entire network of computers to bring down a website by flooding it with fake traffic, this THC-SSL-DOS attack allows an attacker to bring down the website with a single computer (or a handful of computers if the website uses multiple web-servers). This attack works by targeting an SSL vulnerability that’s been around since 2003 but security experts have avoided fixing.

The researchers that leaked and publicized this exploit have known about it for quite some time now, and have decided that the only way it will get the urgent attention it deserves is if it is brought to the public’s attention:

“We are hoping that the fishy security in SSL does not go unnoticed. The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century,” said the researchers in a blog post.

Looking at the way these researchers have responded, this call to action might have both positive and negative effects; positive in the sense that our web security will be upgraded, leading to an entirely new and improved way of securing our data – but negative in the sense that bringing this exploit to public attention might lead to further damage. Hopefully, the positive will prevail, and it gets patched up before this vulnerability can cause any real harm.

(Via Wired) / (Image by CarbonNYC licensed under Creative Commons)

About the author  ⁄ BrickHouse Security

BrickHouse Security is the industry's premier supplier of security and surveillance solutions. As a recognized authority in GPS tracking, hidden cameras, employee monitoring and compliance, video surveillance and counter surveillance, we help our customers use technology to get the clarity they need. We proudly serve consumers, businesses of all sizes and the law enforcement community. When you need to know, BrickHouse has the answers.