SSL Renegotiation Attack Becomes Real 97
Posted
by
kdawson
from the laugh-a-while-you-can dept.
from the laugh-a-while-you-can dept.
rastos1 and several other readers noted that the SSL vulnerability we discussed a couple of weeks back, which some researchers had claimed was too theoretical to worry about, has now been demonstrated by exploit. The attack description is available on securegoose.org. "A Turkish grad student has devised a serious, real-world attack on Twitter that targeted a recently discovered vulnerability in the SSL protocol. The exploit by Anil Kurmus is significant because it successfully targeted the so-called SSL renegotiation bug to steal Twitter login credentials that passed through encrypted data streams. All in all, a man in the middle is able to steal the credentials of a user authenticating himself through HTTPS to a trusted website."
Re:Just one phrase that fits. (Score:4, Funny)
Well, I suppose thats another Benefit of Twitter.. (Score:5, Funny)
It's nice to have a Sandbox for testing the latest and greatest hacks and security protocols, where no one cares about the user and/or what information they've posted on the site.
Re:Don't worry. It'll be fixed soon. (Score:2, Funny)
Re:Just one phrase that fits. (Score:4, Funny)
Hopefully this will make people tweet a tad bit lesser.
I fear it's like hoping a large sponge will be able to lower ocean levels a foot. For some people, I'm sure they would only slack off on their Twitter use if the exploit made your computer grow a foot and kick you in the groin every time you tweeted.
Re:Kinda bad summary (Score:4, Funny)
The only reason it was exploitable was because of Twitter's API. Understandably, I'm not too worried about the rest of the Internet going down in flames any time soon.
Well I'm not doing my banking on Twitter anymore that's for sure !
Re:Don't worry. It'll be fixed soon. (Score:4, Funny)
That one burned down, fell over, and THEN sank into the swamp...
hmmmmm (Score:4, Funny)
Microsoft should have a patch in about 8 years, Apple will have lashed its developers until there are no further utterances of this problem, Adobe will ask what model phone does it affect, Oracle will ship another box of stupid mugs and tshirts to me as soon as I complain about the vulnerability, Dell will insist i continue to wait for the DRAC to load its SSL page, and i think most importantly my bank will have little, if ANY clue what im talking about.
I need about, say, a million open source eyes on this problem. Gentlemen, the internet appears broken and im offering beer to fix it.