Swiss Crack E-Mail Code, but Minimal Impact Seen

Discussion in 'Current Events' started by medea, Feb 21, 2003.

  1. medea macrumors 68030


    Aug 4, 2002
    Madison, Wi
    Researchers at a Swiss university have cracked the technology used to keep people from eavesdropping on e-mail sent over the Web, but U.S. experts said on Thursday that the impact would likely be minimal.
    Professor Serge Vaudenay of the Swiss Federal Institute of Technology in Lausanne found a way to unlock a message encrypted using Secure Socket Layer protocol technology, according to a posting on the research institute's Web site.
    However, U.S. cryptography experts said it was not the version of security that most consumers use to shop online.
    Rather, it is a version that only affects e-mail, is limited in scope and not widely used, said Professor Avi Rubin, who is technical director of the Information Security Institute at Maryland's Johns Hopkins University.
    In addition, an attacker would have to be in control of a network computer located in the middle of the two people communicating over which the messages were flowing, he said. "It's possible, but it has limited applicability," he said.
    He said patches are already available to fix the hole, which affects one particular mode of OpenSSL. Like all co-called "open source" software, OpenSSL is free software created by developers who can modify it at any time.
    "This is not something that anybody really needs to worry about," Rubin said.
    Bruce Schneier, chief technical officer at network monitoring firm Counterpane Internet Security, agreed.
    "As a cryptographer, I am impressed. That's really nice work," he said of the research. "As a guy who wants to protect my secrets tomorrow, I don't care."
    Besides the mitigating circumstances which lessen the likelihood that attackers would be successful, Schneier said SSL is irrelevant to security because attackers can more easily get at secret information while it is stored on computers and servers at the sending and receiving ends.
    "SSL protects the communications link between you and the Web" server, he said. "Nobody bothers eavesdropping on the communications while it is in transit."

    "nobody bothers eavesdropping on the communications while it is in transit" eh?
    I'm convinced.:rolleyes:
  2. yzedf macrumors 65816


    Nov 1, 2002
    and that is why open source is cool. a vulnerability is announced, with a note that the patch is already available.

    kudos to the OpenSSL team!
  3. timbloom macrumors 6502a


    Jan 19, 2002
    The never ending mouse/mousetrap scheme, opensource has done a great service to society for being so easy to patch, and so many people just waiting for something to go wrong so they can fix it.

Share This Page