SSL Renegotiation Attack Becomes Real - Slashdot

Slashdot

SSL Renegotiation Attack Becomes Real 97

Posted by kdawson on Monday November 16 2009, @07:30PM
from the laugh-a-while-you-can dept.

rastos1 and several other readers noted that the SSL vulnerability we discussed a couple of weeks back, which some researchers had claimed was too theoretical to worry about, has now been demonstrated by exploit. The attack description is available on securegoose.org. "A Turkish grad student has devised a serious, real-world attack on Twitter that targeted a recently discovered vulnerability in the SSL protocol. The exploit by Anil Kurmus is significant because it successfully targeted the so-called SSL renegotiation bug to steal Twitter login credentials that passed through encrypted data streams. All in all, a man in the middle is able to steal the credentials of a user authenticating himself through HTTPS to a trusted website."

This discussion has been archived. No new comments can be posted.

SSL Renegotiation Attack Becomes Real

Search 97 Comments Log In/Create an Account

Comments Filter:

Kinda bad summary (Score:5, Insightful)

by Virak (897071) writes: on Monday November 16 2009, @07:53PM (#30123856) Homepage

Important part of the article:
He did it by injecting text that instructed Twitter's application protocol interface to dump the contents of the web request into a Twitter message after they had been decrypted.
The only reason it was exploitable was because of Twitter's API. Understandably, I'm not too worried about the rest of the Internet going down in flames any time soon.

Share
twitter facebook
Re:Kinda bad summary (Score:5, Insightful)

by teh_commodore (1099079) writes: on Monday November 16 2009, @07:58PM (#30123898)

Oh good. We're totally fine. It only works on sites that are poorly designed. And Twitter's been patched, so that leaves, well, I guess no one.

Parent Share
twitter facebook
The sky is falling (Score:4, Insightful)

by LBt1st (709520) writes: on Monday November 16 2009, @09:42PM (#30124782) Homepage

It would be nice if FireFox updated with detection for sites that would allow this (and other) kinds of attacks.
With shit like this in the wild it's hard to know what sites to trust. /Paranoid

Share
twitter facebook
Re:Not worried, fixed already (Score:5, Insightful)

by Anonymous Coward writes: on Monday November 16 2009, @10:06PM (#30124918)

You are forgiven for the error. Anyone using a letter that could be mistaken for a number in any software version string should be cockpunched with brass knuckles coated in broken glass and lemon juice

Parent Share
twitter facebook
Re:The sky is falling (Score:3, Insightful)

by Frosty Piss (770223) writes: on Monday November 16 2009, @10:07PM (#30124930)

It would be nice if FireFox updated with detection for sites that would allow this (and other) kinds of attacks.
FF already nags enough.

Parent Share
twitter facebook
Re:Just one phrase that fits. (Score:2, Insightful)

by Anonymous Coward writes: on Monday November 16 2009, @10:10PM (#30124948)

No it just means they will arrest him and throw him in jail next time he visits the USA on holiday.

Parent Share
twitter facebook
Re:The sky is falling (Score:5, Insightful)

by socceroos (1374367) writes: on Tuesday November 17 2009, @12:27AM (#30125740)

People ought to stop blaming "The Web" as being inherently insecure. As much as you drill down into it, when party1 communicates with party2 and party1 isn't intimately familiar with party2's identity then transactions of information will always be prone to being exploited. This goes for human interaction (face to face) as well as human-to-computer interaction.

Frankly, I'd rather have an insecure internet than have an internet where everyone's identity was fully exposed and documented.

Parent Share
twitter facebook
Re:Not worried, fixed already (Score:3, Insightful)

by Lennie (16154) writes: on Tuesday November 17 2009, @12:41PM (#30130346) Homepage

You have to remember it's not a fix. It's a workaround, it just disables part of the protocol.

Their are also new packages for Apache2 for Debian for some other parts that needed to be disabled/changed, but it too is just a workaround.

Their isn't yet a real fix, because it's problem with the protocol it self.

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

473 commentsYour Passwords Don't Suck — It's Your Policies
418 commentsFBI Says American Universities Infiltrated by Spies
391 commentsAdobe Introduces the Paid Security Fix
343 commentsSymantec: Religious Sites "Riskier Than Porn For Viruses"
333 commentsOsama Bin Laden Didn't Encrypt His Files

Use the Force, Luke.