About Thawte

News

CASC finds SSL security remains rock solid

A respected leader in computer security has disputed recent research findings that suggested vulnerabilities in SSL cryptography. The Certificate Authority Security Council (CASC), an industry advocacy group whose goal is to promote advanced security standards, encourage best practices and devise proactive solutions to continually improve the Secure Sockets Layer (SSL) ecosystem, responded in a blog post that the attacks performed by Professor Dan Bernstein of the University of Illinois at Chicago do not represent an immediate practical threat to SSL users, including those in online banking, e-commerce, and social networking sectors.

According to Andy Greenberg of Forbes, Professor Bernstein presented a method for breaking both the transport layer security, (TLS) as well as SSL by combining them with RC4, another widely used encryption technology. Bernstein's findings suggested that a pattern existed among the random number generation that eventually would allow for encrypted information to become readable after tens of millions of generations.

The danger some computer security experts like fellow researcher Kenny Paterson see from this finding is that "an attacker could use a malicious ad, a hijacked portion of a website, or a compromised router to feed the identical message" to an unaware user repeatedly, said Greenberg. If given enough time with a browser open to a malicious page, an attacker could theoretically break the encryption.

Suggested vulnerability requires exceptional conditions
The problem CASC finds with the research findings is that an attack like the one described above require a message to be sent over a connection many times over an unnaturally prolonged period of time.

"If the attacker's software could send the same message over and over 10 times per second, it would still take more than 3 years for the attack to succeed," said Symantec Technical Director Rick Andrews in the CASC blog post.

CASC pointed to the fact that SSL was designed to support the development of more sophisticated algorithms to address weaknesses that might exist at any point in time. With stronger encryption constantly being developed and integrated into SSL sockets, they suggest that web servers and browsers follow suit through regular security improvements.

"The fact remains, SSL/TLS is still the most scalable, efficient cryptographic protocol available now and, with the number of researchers focused on its protocols, will only continue to get stronger in the future," said Andrews.

The Thawte Trusted Seal is a recognized symbol of security in encryption technology. Stop by Thawte today to purchase the latest in SSL certificates.

corporate office

Thawte
The Gateway
Century Lane
Century City, 7441
Cape Town
South Africa

Postal Address:
P O Box 15986
Panorama 7500
Cape Town
South Africa

Call: +27 21 819 2200
Fax: +27 21 819 2950

Thawte is a leading global Certification Authority. Our SSL and code signing digital certificates are used globally to secure servers, provide data encryption, authenticate users, protect privacy and assure online identifies through stringent authentication and verification processes. Our SSL certificates include Wildcard SSL Certificates, SAN /UC Certificates, SGC SuperCerts and Extended Validation SSL Certificates.

What is an SSL Certificate Which SSL Certificate is Right for Me? Why Choose Thawte?