SSL, used by Internet browsers for protecting information such as online banking passwords and credit card numbers in e-commerce applications, is widely regarded as the most important security software in existence.
Although several news sources - including the BBC - have proclaimed that a Swiss research team, operating from the Security and Cryptography Laboratory at the Department of Communication Systems at one of the country's highest-profile technology universities, EPFL, has "cracked" SSL, experts are keen to water down the claims.
Adam Pointon, a Melbourne based security consultant, described the reports circulating about the vulnerability as "overkill".
"Well they've found weaknesses in SSL, definitely, but they haven't 'broken' it," he said.
The reports have been based on a paper released by the Swiss researchers. Pointon says that the only reason this latest paper has caused such a sensation is because the protocol is commonly used, not because of the seriousness of the vulnerability.
"The only reason people are claiming that it's broken is because SSL is all over the place. Weaknesses have been found in other crypto protocols recently, but no one has claimed that they've 'broken' them," he told ZDNet Australia .
"People love to claim that they've broken SSL," he added.
In the paper that sparked the brouhaha, the author Brice Canvel claims the researchers were able to successfully exploit the identified weaknesses.
"Martin Vuagnoux, a student...has performed the attack and validated the results presented in the previous sections by intercepting passwords sent to an IMAP REV 4 server when checking emails with an Outlook Express 6.x client using a secure connection," it says.
The IMAP "proof of concept" attack has been incorrectly reported as a likely exploit for "webmail" systems, where in fact IMAP is a standard mail protocol with SSL capabilities, much like POP3 (Post Office Protocol).
The difference being that mail clients such as Outlook send a very simple data packet to the server when authenticating, and do so every time mail is checked. So every five minutes, the same password is sent to the server for authentication, and quite often it will send the password more than once.
In other words, people using mail services such as Hotmail and Yahoo over the web are not affected because they send the password only once to establish a secure "session". Online banking functions and e-commerce applications are also unaffected.
Richard Miller, an Enterprise Consultant with Verisign Australia, points out that contrary to reports, the problem is with the implementation of the SSL protocol, not the protocol itself.
"It's definitely an implementation issue," he said.
Pointon says that the security flaw isn't the end of the world, and agrees with Miller that it can be easily fixed. He said that although there's no room for complacency in data security, the weakness is very difficult to exploit.
"But still, it's a big deal," he said.
His views are similar to those of Paul Kocher, the guru who designed the latest SSL protocol, version 3.0. Slashdot.org posted his comments.
"Cryptographers need to be paranoid about unexpected situations. As a result, attacks can be important even if they are not practical to exploit under real- world conditions. The attack described in this paper is similar; while there are quite a few preconditions for mounting the attack, this does not make the research unimportant or mean that people should ignore the work," he wrote.
OpenSSL, makers of the most commonly used SSL software, have already issued a fix for the vulnerability.
