We often hear of websites turning to Secure Socket Layer (SSL) encryption to protect their information from hackers. However, it seems that by having the SSL encryption, websites are putting themselves at risk for a different type of attack. Instead of having their data open to interception by hackers, the SSL comes with a vulnerability that allows the hacker to temporarily bring down the website entirely.
Unlike a denial-of-service (DoS) attack, which requires an entire network of computers to bring down a website by flooding it with fake traffic, this THC-SSL-DOS attack allows an attacker to bring down the website with a single computer (or a handful of computers if the website uses multiple web-servers). This attack works by targeting an SSL vulnerability that’s been around since 2003 but security experts have avoided fixing.
The researchers that leaked and publicized this exploit have known about it for quite some time now, and have decided that the only way it will get the urgent attention it deserves is if it is brought to the public’s attention:
“We are hoping that the fishy security in SSL does not go unnoticed. The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century,” said the researchers in a blog post.
Looking at the way these researchers have responded, this call to action might have both positive
and negative effects; positive in the sense that our web security will be upgraded, leading to an entirely new and improved way of securing our data – but negative in the sense that bringing this exploit to public attention might lead to further damage. Hopefully, the positive will prevail, and it gets patched up before this vulnerability can cause any real harm.