PhoneFactor’s SSL/TLS authentication project has been officially released by vendors after just one year in the making. Microsoft began releasing patches for all supported versions of Windows last week and the SSL/TLS vulnerability has been addressed by all major vendors without any known problems taking place.
The major vulnerability in SSL protocol is rooted in the SSL authentication gap. This had allowed attackers to mount a man-in-the-middle attack by inserting data and commands into the authenticated SSL communications path.
A weakness in the SSL protocol standard–formally known as Transport Layer Security, or TLS–caused the vulnerable network and resulted in most SSL implementations being exposed to security threats at some level. In November 2009, the severity of these attacks became public and Microsoft rated the vulnerability as “important,” the second-highest classification on its four-tier scale.
The new SSL protocol, RFC 5746, is in place and features more secure implementations of renegotiation from Microsoft, OpenSLL, and Oracle’s Java.