This is a copy of the C2Net Press Release from 25 Jun 1998
This patch has been incorporated into the latest version of Stronghold. US and Canadian customers can download the newest build of Stronghold through the C2Net website - http://www.c2.net/products/stronghold/download. International customers of C2Net's products can download this build at http://www.int.c2.net/. Information on other C2Net products will be made available at both sites.
Late last week, RSA Data Security Inc. provided all the major secure web server vendors with information about the vulnerability. According to RSA, cryptographer Daniel Bleichenbacher of the Secure Systems Research Department of Bell Labs, a division of Lucent Technologies, discovered the weakness. Bleichenbacher found that a process of sending approximately a million specially constructed messages to a secure server, and monitoring the target server's response, could potentially discover the session key of an encrypted session. Additional information about the flaw is available on the Bell Labs Web site at http://www.bell-labs.com.
With this information, cryptographers at C2Net have been able to construct a patch that thwarts the potential security weakness. "At C2Net, the uncompromised security of our customers, and their customers in turn, is our number one priority," said Sameer Parekh, President and CEO of C2Net. "We are happy to be working with RSA to ensure that the security that SSL offers is never compromised in any of C2Net's products, and our team has responded with a patch that counters this potential attack."
The vulnerability affects interactive key establishment protocols that use the Public Key Cryptography Standard (PKCS) #1, including SSL. The PKCS series of standards are defined by RSA Laboratories, reviewed by industry and have been adopted by many major vendors of information systems and incorporated in national and international standards. The vulnerability does not apply to PKCS#1-based secure messaging protocols, such as Secure Electronic Transactions (SET) and Secure Multipurpose Internet Mail Extension (S/MIME) either because they are not susceptible to, or already implement mechanisms preventing this potential vulnerability. A technical overview of the attack and recommended countermeasures for installed SSL-based server software are available now on the RSA Labs Web Site at http://www.rsa.com/rsalabs/.
C2Net Software, Inc. (http://www.c2.net/) is the leading provider of full-strength network security software. Because it develops its products outside of the United States without the assistance of Americans, C2Net is able to offer full-strength 128-bit cryptographic solutions to customers worldwide. The company's Stronghold secure web server is currently the number one full-strength secure web server in the world, according to a secure web server survey by Netcraft, Ltd (http://www.netcraft.com/).