This is a vulnerability that affects almost every SSL implementation
San Francisco, CA (PRWEB) August 3, 2009
Mocana has announced that its SSL software, NanoSSL™, is among the few implementations safe from a recently discovered security vulnerability that allows criminals to steal credit card numbers over the Internet by impersonating legitimate storefronts like Amazon.com.
Last week two researchers uncovered vulnerabilities in SSL that allow an attacker to impersonate any website and fool a consumer into filling out fake forms and turning over private information, including credit card numbers.
Usually when a user visits a secure website, like eBay.com, the user's browser checks the website's certificate to verify its authenticity - kind of like checking a digital ID card. But last week researchers Dan Kaminsky and Moxie Marlinspike, working separately, each showed how an attacker can obtain a certificate with a special character that would fool nearly all popular browsers into believing (for example) that an attacker's fake Amazon.com storefront is, in fact, the legitimate one.
The vulnerability occurs when developers improperly implement the Secure Sockets Layer (or SSL) security standard in their software or web browsers. And the mistake is very, very common.
"This is a vulnerability that affects almost every SSL implementation," Mr. Marlinspike told the Wired.com blog 'Threat Level', "because almost everybody who has ever tried to implement SSL has made the same mistake."
Fortunately, Mocana's NanoSSL product is immune to this attack. No patching is needed. Why?
This particular attack is against the "common name" embedded within a certificate. Certificates are written in a format called ASN.1, and it's tricky to write code that handles ASN.1 correctly. That's why extensive code testing is so important, and why Mocana uses custom fuzz tests for certificate handling, written from scratch. Mocana's NanoSSL code uses "length strings" instead of more common "C-length strings." This helps NanoSSL make smarter comparisons between two different files or pieces of text, and helps make NanoSSL immune to the recently announced attack.
Developers that want to patch this vulnerability in their old commercial or open-source SSL implementations are invited to download a free evaluation copy of Mocana's professional NanoSSL software at http://www.mocana.com/evaluate.html
Mocana secures the "Internet of Things" - the 40 billion devices that are increasingly connecting to networks across every sector of our economy including Datacom, Smartgrid, Federal, Consumer and Medical. These devices already outnumber workstations on the Internet by about five to one, representing a $900 billion market that's growing four times faster than the PC market.
Today, sophisticated attacks that evolved on PCs and became more virulent on the Internet are being re-targeted towards the comparatively defenseless Internet of Things. Unfortunately, PC security approaches can't solve this rapidly evolving "device integrity problem." A new approach is needed.
Mocana delivers the industry's only comprehensive Device Security Framework™, designed to protect the integrity of these connected devices using a combination of device-resident software and services delivered from the cloud. Mocana's security software protects all aspects of any connected device, including the applications and services that run on them, and consequently helps protect the networks to which these devices connect as well.
Mocana's solutions help product teams get new devices to market faster while dramatically increasing confidence, trust and compliance among OEMs, service providers and their customers. Every day, millions of people use products sold by over 100 companies that leverage Mocana's device integrity software, including Dell, Cisco, Honeywell, General Electric, General Dynamics, Avaya, Nortel Networks, Harris and Radvision among others. Mocana won Frost & Sullivan's Technology Innovation of the Year award for 2008 for Device Security, and was named to the Red Herring Global 100 as one of the "top 100 privately-held technology companies in the world" in January 2009.