« Microslosh Strikes Again | Main | AI vs Minsky »

February 24, 2003

Microslosh Strikes Again

The whole world (or at least the whole internet) is running around patching SSL due to a recent vulnerability which was announced last week in Switzerland. The truth of the matter is somewhat more interesting that the original reports suggested. The actual vulnerability is not in SSL itself but in the way that SSL is used.....

Imagine a locksmith who makes a great new security lock for front doors. Now you get a builder who constructs entranceways to your house using this locksmith's products. As a consumer, you just want to be able to access your house. This builder does this by arranging it so that you put your key in the lock to open the door and then go inside BUT your key stays in the door until you leave the house. You should have picked a smarter builder :wink

Now the locksmith is OpenSSL, the builder in question is the Microslosh corporation and the entranceway product is called Outlook Express. When you start up a connection (enter your house) the SSL key is used to establish a connection. Outlook Express continues to send the key to the server every time if checks for updates. It does not close and reopen the connection as required and it does not make full use of the keys. It sends a simple data packet (including the key) at least once every five minutes.

Like I said above, get a better builder. And don't listen to promises of a secure future, this builder has been promising to make things secure, safe and bugfree since (at least) 1995 [Bill Gates claims MS Software is bugfree in Risks Digest] and still have not delivered.

Posted by Ozguru at February 24, 2003 12:02 PM


Comments