Skip to main content

Secret net security flaw exposed by accident

Internet surfing
Security layers such as HTTPS are at risk until the SSL flaw is fixed

An unusual cloak-and-dagger operation being run by internet security experts has been exposed this week, after details of a flaw in the SSL protocol were made public.

The problem with the Secure Sockets Layer standard that keeps e-commerce websites, mail servers and more safe from attack was first discovered in August by a phone-security firm called PhoneFactor.

Secret project

That company immediately set to work with the Industry Consortium for Advancement of Security on the Internet (ICASI) to fix the issue in secret so as not to alert hackers.

However, an engineer working independent of ICASI found the flaw by himself this week and posted the details online in an effort to find a solution.

Naturally, the buzz about SSL potentially failing spread like wildfire, prompting ICASI and PhoneFactor to go public immediately.

Good guys need to know

The company's Sarah Fender explained why: "At that point we felt like the bad guys knew and we felt we had a responsibility for the good guys to know too."

So far, no actual exploits of the SSL flaw have been found in the wild, meaning there's still hope that it can be fixed before it claims its first victim.