DeepSec discusses SSL security hole: Anyone can pretend to be a bank

November 7, 2009

The recent bug in SSL libraries shows that fraud with allegedly secure SSL certified websites is possible. The DeepSec In-Depth Security Conference invites everyone interested in secure communication to join the experts.

VIENNA, AUSTRIA, November 07, 2009 /24-7PressRelease/ -- When is a website truly secure? Most users are convinced that a website encrypted with Secure Socket Layer (SSL), as used by webshops or banks, is safe. The logic behind it is that nothing can happen because the contents are encrypted. "But unfortunately this may be a fallacy", warns Rene Pfeiffer of the International Security Conference DeepSec (https://deepsec.net/), which will be held from 17 to 20 November in Vienna for the third time, bringing together the world elite from the areas of network security and hacking. Moxie Marlinspike, an expert in encryption systems from the Institute For Disruptive Studies, will be presenting dangerous holes in the encryption with SSL and HTTPS that enable hackers to pass off as any other website. "In the wrong hands, it opens the floodgates to frauds", warns Pfeiffer.

"An error discovered by Moxie Marlinspike in the way these certificates are issued means that you can get a certificate for a website you don't own, such as eBay, PayPal or a bank", Pfeiffer explains. This means that, when a customer wishes to send money from his bank account, for example, you can pretend to be his bank and get his access data. "Naturally, this can lead to massive misuse", Pfeiffer warns. Moreover, by means of a so-called SSL sniff method, encrypted data traffic can be monitored on the Net, which may lead to the disclosure of passwords, credit card data or bank access data without the user being aware of it. The error is so serious that Microsoft felt obliged to release a patch that was delivered a few days ago.

In a two-day workshop on the topic of "Designing Secure Protocols and Intercepting Secure Communication" on 17 and 18 November at DeepSec, Moxie Marlinspike will be analysing the architecture of encryption systems in detail and show ways to avoid such attacks. Security systems must be planned in detail, otherwise you feel safe while you actually aren't. "This information is essential not least for banks and insurance companies, since customers entrust these organisations with considerable shares of their assets", says Pfeiffer. Safety holes in online banking could be used to seriously damage the customers' trust in internet banking.

Being a neutral platform, DeepSec brings together in Vienna the hacker community, IT/security companies, officials and researchers to exchange thoughts and experiences in lectures and workshops. The conference, whose overall motto this year is "Espionage and How to Avert It", also wants to counteract the widespread prejudice that hackers are automatically criminals. "For many of them it's really about identifying safety holes and making them public. Only then can they be closed", according to Pfeiffer.

The complete programme with a summary of the contributions:
https://deepsec.net/schedule

To register for DeepSec go to: https://deepsec.net/register/

DeepSec 2009 the In-Depht Security Conference, November 17-20 in The Imperial Riding School Vienna, Austria.

---
Press release service and press release distribution provided by http://www.24-7pressrelease.com