SSL Renegotiation Attack Becomes Real 97
rastos1 and several other readers noted that the SSL vulnerability we discussed a couple of weeks back, which some researchers had claimed was too theoretical to worry about, has now been demonstrated by exploit. The attack description is available on securegoose.org. "A Turkish grad student has devised a serious, real-world attack on Twitter that targeted a recently discovered vulnerability in the SSL protocol. The exploit by Anil Kurmus is significant because it successfully targeted the so-called SSL renegotiation bug to steal Twitter login credentials that passed through encrypted data streams. All in all, a man in the middle is able to steal the credentials of a user authenticating himself through HTTPS to a trusted website."
Kinda bad summary (Score:5, Insightful)
Important part of the article:
The only reason it was exploitable was because of Twitter's API. Understandably, I'm not too worried about the rest of the Internet going down in flames any time soon.
Re:Kinda bad summary (Score:5, Insightful)
The sky is falling (Score:4, Insightful)
It would be nice if FireFox updated with detection for sites that would allow this (and other) kinds of attacks. /Paranoid
With shit like this in the wild it's hard to know what sites to trust.
Re:Not worried, fixed already (Score:5, Insightful)
You are forgiven for the error. Anyone using a letter that could be mistaken for a number in any software version string should be cockpunched with brass knuckles coated in broken glass and lemon juice
Re:The sky is falling (Score:3, Insightful)
It would be nice if FireFox updated with detection for sites that would allow this (and other) kinds of attacks.
FF already nags enough.
Re:Just one phrase that fits. (Score:2, Insightful)
No it just means they will arrest him and throw him in jail next time he visits the USA on holiday.
Re:The sky is falling (Score:5, Insightful)
Frankly, I'd rather have an insecure internet than have an internet where everyone's identity was fully exposed and documented.
Re:Not worried, fixed already (Score:3, Insightful)
Their are also new packages for Apache2 for Debian for some other parts that needed to be disabled/changed, but it too is just a workaround.
Their isn't yet a real fix, because it's problem with the protocol it self.