Net security software exposed

Net security software exposed

SSL systems used for payments over the net

Swiss researchers have found a way around the most commonly used security system to protect passwords over the internet.

A team at the Lasec Security and Cryptography Laboratory in Lausanne said they had been able to decipher a password in less than an hour.

"It is the first time we have noticed a security problem in the SSL protocol itself and not in how we use it or how we implement it," Professor Serge Vaudenay, Lasec Director told the BBC.

But the researchers say the loophole does not apply to credit card transactions, as banks and e-commerce sites use a different type of SSL (Secure Sockets Layer) technology.

E-mail exposed

Up until now, SSL systems had been thought to be completely secure.

We intercepted a connection, replaced it with a fake one and looked at the behaviour of the server

Professor Serge Vaudenay

Websites protected by SSL systems are marked by an internet address which begins with "https://." On most browsers, a small lock and key icon will appear at the bottom of the browser to show it is a secure connection.

It is widely used across the web by e-commerce sites to protect customer information and transactions.

SSL works by encrypting a password or credit card number, using a secret code to scramble the information so that if anyone intercepts it, they will not be able to read it.

Various types of algorithms are used in SSL technology to encrypt information.

The type of SSL protocol hacked by the scientists was one used for e-mail, rather than for banking or credit card payments.

"We intercepted a connection, replaced it with a fake one and looked at the behaviour of the server," Prof Vaudenay told the BBC.

The researchers monitored passwords sent to an IMAP server when checking e-mails with Outlook Express using a secure connection.

He explained that the team were able to gain a small amount of information as the computer and the server talked to each other.

"We got a small bit of information about the password each time and after 160 attempts we were able to reconstruct it."

Encrypted data

But Prof Vaudenay said the loophole did not present a serious security problem as it relied on the password being frequently sent to a server.

I would be surprised if this was a threat to consumers purchasing online

RSA spokeswoman

"The e-mail application regularly sends authentication to the server, like log in name and password of the user, without bothering the user," he explained.

This is because Outlook is set up by default to connect to the e-mail server every five minutes.

In contrast, a password is usually only typed in once for most e-commerce transactions.

In addition, used CBC protocols, whereas the vast majority of SSL connections use RC4.

Security experts said people should not be concerned about giving their credit card details on sites using SSL.

"This attack is not applicable to web shopping and there are much easier ways that fraudsters steal credit card information," said Paul Kocher, President & Chief Scientist of Cryptography Research, in a posting to the technology website Slashdot.

"Strictly speaking, the fact that implementations reveal sensitive information in timing channels is an implementation issue, not a flaw in the underlying cryptographic protocol," he wrote.

"This doesn't make the issue unimportant, however, and timing attacks are big deal for implementers because they are easy to introduce, notoriously tricky to detect, and often difficult to eliminate."

The Swiss researchers said they had passed on their findings to SSL's developers, who have closed the loophole in the latest version of the software.