Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Frank Breedijk, a security professional at a provider of mission critical outsourcing services called Schuberg Philis, based in the Netherlands, says that Rescorla’s draft does fix the protocol, but notes that it effectively creates two versions of TLS. If either the client or the server haven’t yet installed the fix, he says, the attack is still possible. “TLS/SSL clients and servers are omnipresent,” he says. “It’s not just browsers and Web servers. Mobile phones, wireless access points, DECT phones, home security systems, and so on, all have the technology in them.”

“If you believe that you need SSL at all, then you need this fixed,” says Ben Laurie, a founding director of the Apache Software Foundation and an OpenSSL developer.

That may be easier said than done, however.

Ray and Dispensa disclosed the flaw to affected vendors in late September, and Laurie says it’s been “no big deal” to write software that fixes it. What’s tricky, he says, is getting the patch installed everywhere it needs to be. The fix is “unprecedented,” Laurie says, because no one is fully protected until both the client and the server have installed the patch. As a result, browser makers working to fix the problem have to allow for a period when the client will continue to communicate with unpatched and possibly vulnerable servers.

“You can’t have the clients say, ‘Evil old server, can’t connect to that,’ because that would break the whole world,” Laurie says. This means that a second patch will have to be applied to clients later, when experts determine that enough servers have been patched.

The process of getting out all the patches is complex enough that Joe Salowey, TLS working group cochair and a technical leader at Cisco Systems, believes it will be a year or more before the fix will be fully in place.

3 comments. Share your thoughts »

Credit: Technology Review

Tagged: Computing, Web, encryption, Internet Security, Internet protocols, patches, SSL

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me