A fix for a flaw in an important Internet security protocol is ready for prime time but it will be many months before the patch is fully implemented, according to technical experts.

The authentication vulnerability in TSL/SSL, which is the most common security code on the Net, could be exploited by hackers for all kinds of mischief. Built into browsers and Web servers to protect high-value information, the flaw impacts a wide scope of technologies including online banking, back-office systems using Web-based protocols, non-HTTP applications such as mail and database servers, mobile phones, wireless access points, DECT phones and home security systems.

The vulnerability was discovered last September by researchers at PhoneFactor, a security service provider in Overland Park, Kansas, but was kept under wraps until November when another security expert, working independently, made the flaw public on a mailing list sponsored by the Internet Engineering Task Force (IETF).

With the cat out of the bag, PhoneFactor decided to push out a press release on the subject. In it CTO Steve Dispensa, who, along with Marsh Ray, initially unearthed the flaw, stated,

“Because this is a protocol vulnerability, and not merely an implementation flaw, the impacts are far-reaching. All SSL libraries will need to be patched, and most client and server applications will, at a minimum, need to include new copies of SSL libraries in their products. Most users will eventually need to update any software that uses SSL.”

“The discovery of this vulnerability speaks to a larger issue with single channel authentication protocols,” he added. “While this vulnerability is larger in scope than many, man-in-the-middle attacks have been a known threat for some time. Out-of-band protocols should be considered when possible to help mitigate the risk of these attacks.””

Continue reading Net security hole could take year to fix

Sending secure email often involves the process of also having to troubleshoot error messages related to TLS and SMTP in Outlook.

Transport Layer Security (TLS) is a cryptographic protocol used to encrypt traffic over networks such as the Internet. Use TLS encryption for servers that require basic authentication. With so much critical information such as usernames and passwords passing through your network, why take the risk that someone snooping could eavesdrop and pull out important corporate information? Implementing encryption and other security measures can help to protect your corporate jewels. The enforcement of security will require users to use the same encryption level that you set when they try to negotiate access to your network and servers. Without the same level of security, messages will be returned and non-delivery reports (NDR) will be generated.

Simple Mail Transfer Protocol (SMTP) is used for sending outgoing mail for both POP and IMAP clients and is well known for its vulnerabilities such as spoofing of emails.

Continue reading Debugging SMTP and TLS errors in Outlook