Onto the next post in our series debunking SSL myths. Today’s myth: Online banking via SSL session is secure. The answer is [SPOILER ALERT] — false.
Companies often use SSL to secure sensitive information transfer from customers or partners. But vulnerabilities in this approach are frequently exposed. For example, a recent attack targeted CitiGroup’s 21 million customers and resulted in a 1% success rate. This might seem low, but remember that 1% of 21 million translates to 210,000 compromised users.
Even worse, the CitiGroup breach wasn’t an isolated case. Swiss researchers recently published a memo describing a way to gather information about the data transmitted over an SSL channel by exploiting a vulnerability in the implementations of block ciphers, such as AES. It’s worth noting that AES was developed by Defense Advanced Research Projects Agency (DARPA) and is widely accepted as the strongest form of encryption. The memo, however, pointed out that in certain circumstances, it’s possible to decrypt some of the data in the messages, including encrypted passwords.
This vulnerability is linked to the way error handling is implemented in applications that use the cipher-block chaining mode, such as AES in SSL. One of the best ways to avoid this pitfall is to never use the same key stream to encrypt two different documents.
The cipher-block chaining also exhibits well-known weaknesses that can be exploited to break SSL communication. Just how easy it is to crack SSL/TLS was demonstrated recently by two researchers, Thai Duong and Juliano Rizzo. They demoed a straightforward attack against SSL/TLS using a Java Applet to decrypt — or even take over — a SSL/TLS secured session.
Of course, there are numerous ways an attacker can mount a successful attack against the Web browser—too many to name in this article. If you’re interested in more details, the Open Web Application Security Project (OWASP) is a good resource.