The Community for Technology Leaders
RSS Icon
Issue No.01 - January/February (2010 vol.14)
pp: 84-87
Stephen Farrell , Trinity College Dublin
Recently, a previously unknown, and not particularly complex, man-in-the-middle attack appeared, affecting all versions of the Transport Layer Security (TLS) protocol. TLS and its predecessors have been in widespread use for more than a decade and have been subject to detailed scrutiny from the security community over that period. Because TLS was also developed in a very open environment (the IETF), as is usually recommended by security professionals, the question arises: Why didn't we spot this sooner? In this article, the author outlines the new attack and ponders this question.
man-in-the-middle, TLS, SSL, security protocol development, practical security
Stephen Farrell, "Why Didn't We Spot That?", IEEE Internet Computing, vol.14, no. 1, pp. 84-87, January/February 2010, doi:10.1109/MIC.2010.21
1. T. Dierks and E. Rescorla, "The Transport Layer Security (TLS) Protocol, Version 1.2," IETF RFC 5246, Aug. 2008;
2. M. Ray and S. Dispensa, Renegotiating TLS, tech. report, Nov. 2009; http://extendedsubset.comRenegotiating_TLS.pdf .
3. E. Rescorla et al., "Transport Layer Security (TLS) Renegotiation Indication Extension," IETF Internet draft, work in progress, Nov. 2009.
4. L.C. Paulson, "Inductive Analysis of the Internet Protocol TLS," ACM Trans. Information Systems Security, vol. 2, no. 3, 1999, pp. 332–351.
5. S. Gajek et al., "Universally Composable Security Analysis of TLS," Proc. 2nd Int'l Conf. Provable Security, J. Baek et al., eds., LNCS 5324, Springer-Verlag, 2008, pp. 313–327.
25 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool