SSL Holes Found In Critical Non-Browser Software

Posted by timothy on Thursday October 25, 2012 @08:21AM from the will-be-with-us-for-a-while dept.

Gunkerty Jeb writes "The death knell for SSL is getting louder. Researchers at the University of Texas at Austin and Stanford University have discovered that poorly designed APIs used in SSL implementations are to blame for vulnerabilities in many critical non-browser software packages. Serious security vulnerabilities were found in programs such as Amazon's EC2 Java library, Amazon's and PayPal's merchant SDKs, Trillian and AIM instant messaging software, popular integrated shopping cart software packages, Chase mobile banking software, and several Android applications and libraries. SSL connections from these programs and many others are vulnerable to a man in the middle attack."

2 of 84 comments (clear)

Min score:

Reason:

Sort:

This again? by Anonymous Coward · 2012-10-25 08:26 · Score: 5, Insightful

News Flash: People bypass inconvenient security features. Security reduced as a result.
How does this at all lead to a "death knell" for SSL?
Re:Man in the middle? by pthisis · 2012-10-25 08:49 · Score: 5, Insightful

You're better off running your own CA and distributing that CA's public key to your internal apps. Then you can ignore outside CAs but still avoid MITM attacks.

--
rage, rage against the dying of the light