|A powerful new type of Internet attack works like a telephone tap, but it operates between computers and Web sites they trust.|
Hackers at the Black Hat and DefCon security conferences have revealed a serious flaw in the way Web browsers weed out untrustworthy sites and block anybody from seeing them. If a criminal infiltrates a network, he can set up a secret eavesdropping post and capture credit card numbers, passwords and other sensitive data flowing between computers on that network and sites their browsers have deemed safe.
In an even more nefarious plot, an attacker could hijack the auto-update feature on a victim's computer, and trick it into automatically installing malware pulled in from a hacker's Web site. The computer would think it's an update coming from the software manufacturer.
The attack was demonstrated by three hackers. Independent security researcher Moxie Marlinspike presented alone, while Dan Kaminsky, with Seattle-based security consultancy IOActive Inc., and security and privacy researcher Len Sassaman presented together.
They reached essentially the same conclusion: There are major problems in the way browsers interact with Secure Sockets Layer (SSL) certificates, which is a common technology used on banking, e-commerce and other sites handling sensitive data.
Browser makers and the companies that sell SSL certificates are working on a fix.
Microsoft Corp., whose Internet Explorer browser is the world's most popular, said it was investigating the issue. Mozilla Corp., which makes the No. 2 Firefox browser, said most of the problems being addressed were fixed in the latest version of its browser, and that the rest will be fixed in an update coming this week.
VeriSign Inc., one of the biggest SSL certificate companies, maintains that its certificates aren't vulnerable.