Friday, June 26, 1998 Published at 21:36 GMT 22:36 UK
Business: The Economy
Fatal flaw in Internet business security
A researcher at Lucent Technologies has discovered a software flaw, which would allow experienced hackers to break the encryption code used for electronic commerce.
The standard encryption software used for business on the Internet is known as secure sockets layer, or SSL. Daniel Bleichenbacher, an encryption specialist with Lucent's Bell Labs, has now discovered a way which would allow hackers to break this code and intercept the messages.
However, hackers would need a special Internet connection and send about a million specially crafted messages before being able to break the system's security. According to Mr Bleichenbacher it would take them up to two days to do that, and an attack could be easily detected.
Nonetheless the people behind the technology are shocked. Scott Schnell, vice president at RSA Data Security Inc., which helped develop the SSL technology said: "It is a serious flaw, and if it had been discovered by a bad guy, it could have been used surreptitiously to get into consumers' online banking transactions and other things."
But he cautioned that such an attack was "not something that a lone, average high school student programmer could mount on his own. I wouldn't underestimate the complexity of the science behind it."
SSL technology is supposed to provide Internet users with a secure connection to a company server, for example when they transfer personal data like credit card numbers or banking details to a company they trust.
The news comes at a crucial time for e-commerce, the business on the Internet. Industry analysts have predicted that 1998 could be year when sales on the Net take off.
Many consumers, however, are still concerned about security and safety standards and the latest problem will not improve their confidence.
Good guys vs bad guys
Software writers are now busy writing a software patch to fix the problem.
The good news is that users will not have to update their Internet browsers. Daniel Bleichenbacher says the security flaw can be fixed on the server side.
RSA has already released a software patch and promised that it will release new software code next month that "fundamentally eliminates this whole class of attack."
But RSA's Mr Schnell has a word of warning as well: "There are always going to be new discoveries of flaws in the system. The question is how effectively will industry respond to minimise or eliminate that threat."
And he added that to keep networks secure was a matter of the good guys discovering cracks before the bad guys do.
The Economy Contents