Researchers detail SSL implementation holes
A team of US researchers has revealed how the use of Secure Sockets Layer (SSL) in a large range of big ticket applications could allow for man-in-the-middle interception.
In a paper dubbed "The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software", researchers from Stanford University and the University of Texas found vulnerabilities in how SSL was handled in Android, Amazon’s EC2 Java library and software development kit, and instant message clients Trillian and AIM.
The root cause of the flaws was the "terrible design" of application program interfaces (APIs) to the underlying SSL libraries, they wrote. "As a consequence, developers often use SSL APIs incorrectly, misinterpreting and misunderstanding their manifold parameters, options, side effects, and return values," they wrote.
- Thu, 2013-05-23 10:39
- Thu, 2013-05-23 10:35
- Thu, 2013-05-23 10:30