Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Reports of a successful exploit of the SSL Renegotiation Vulnerability? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Reports of a successful exploit of the SSL Renegotiation Vulnerability?

Its a brand new week...  and what a way to start off a brand new week with a report of someone sucessfully exploiting the SSL Renegotiation Vulnerability against a rather "popular" Internet property.

Read all about it here.

G.N. White

ISC Handler on Duty

 

G. N.

23 Posts
Data between the client and the real server remains encrypted in transit during the attack, but the Man-In-The-Middle can prepend the HTTP request with arbitrary data. To me, it sounded difficult to exploit, and that a sensibly-designed web app would be safe.

But the nature of the vulnerability reported today sounds akin to an XSS or XSRF vulnerability; 'popular' (haha) sites including twitter seem to be riddled with them though.

Maybe there will be similar flaws uncovered in popular off-the-shelf apps like CMSes too, so it's worth being prepared for; patch your servers for the renegotiation vulnerability as soon as it's viable.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!