In the early throes of this past summer season , we blogged about the hackfest at Sony and other major institutions. In these break-ins confidential consumer data was exposed or stolen. What we found was some companies made log-ins or access to account information easy for customers, in an effort to create a good consumer experience. However this wonderful endeavor also made the customer account more vulnerable to hackers.
Now we hear that researchers have discovered a serious weakness in virtually all websites that use the secure sockets layer protocol to prevent eavesdropping and tampering of communications across a network. According to the researchers, in their test labs they are able to decrypt data that’s passing between a webserver and an end-user browser that supports versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology.
The problem is a fix is available, just upgrade the web browser and websites to versions 1.1 or 1.2 of TLS which aren’t susceptible to this flaw. However versions 1.1 and 1.2 remain almost entirely unsupported in browsers and websites.
Researches said upgrading TLS is proving surprisingly difficult, mostly because almost every fix breaks widely used applications or technologies.
Researchers Thai Duong and Juliano Rizzo state: “Actually we have worked with browser and SSL vendors since early May, and every single proposed fix is incompatible with some existing SSL applications,” Duong wrote. “What prevents people is that there are too many websites and browsers out there that support only SSL 3.0 and TLS 1.0. If somebody switches his websites completely over to 1.1 or 1.2, he loses a significant part of his customers and vice versa.”
Herein is the dilemma, especially if you have a revenue producing website. Upgrade and patch known vulnerabilities and at the same time create incompatibilities with customer web browsers, and thus potentially lose customers.
Or continue business as is, with the known vulnerabilities, and chalk up any break-ins as the “cost of doing business.”
There is not an easy answer, but we do know human nature. And history shows many organizations will not improve security until forced by some catastrophic event, which is unfortunate.