Freely subscribe to our NEWSLETTER

TLS guards the Web

Our browsers, e-mail software, mobile phones, Wi-Fi boxes, and other devices
connecting to the Internet all use the TLS protocol. TLS is also the main guardian of
online financial transactions. But its security is under close scrutiny, especially since
the NSA snooping scandal and the revelation of critical breaches in Apple products.
In cooperation with Microsoft Research, the PROSECCO team at the Inria Paris-
Rocquencourt research centre wanted to mathematically prove the security of the
TLS protocol. In the process, they found a new hole, which a malicious server could
use to hijack the security certificate of an Internet user, and use it, for example, to
order a bank transfer from the user’s account.

Patches already applied

This is only a threat for a small fraction of all HTTPS URLs—only where TLS
certificates are used for authentication. Users need these certificates to give banks a
proof of identity or log on to company intranets. Those affected by this breach can
easily protect themselves by downloading the latest versions of Chrome, Firefox,
Safari, or Internet Explorer, which have removed the threat. The responsiveness of
browser programmers shouldn’t come as a surprise because the PROSECCO team
filled them in on the problem several months ago. ‘We’re used to working with them’,
says Karthik Bhargavan, who heads the PROSECCO team. ‘We suggested some
solutions, and most were applied.’

Other security gaps are a possibility

Bhargavan says this discovery does not resolve all TLS security issues. ‘We found a
hole. Others with less noble intentions might rush in. If we want to avoid similar alerts
over the coming years, TLS needs an overhaul.’ This week, the PROSECCO team
will begin discussions with the Internet Engineering Task Force (IETF), which
manages development of the TLS protocol.