Nov062009

TLS Man-in-the-middle on renegotiation vulnerability made public

Published by hirantha at 7:32 AM under Security

TLS 1.0+ and SSL 3.0+ (known from among others "https") is vulnerable to a protocol weakness where a man in the middle attack could be worked in during the renegotiation phase in modern versions of the protocol.

While the details had been offered in a meeting with the IETF, vendors and the open source implementers of SSL privately, it appears an IETF mailing list came to finding it again. That seems to have prompted the original finders to offer up their finding publicly.

 

There does not seem to be much you can do till the protocol is fixed. The main problem seems to be with clients using certificate authentication.

Exploiting this requires the attacker to be able to intercept the traffic.



  [Twitter] [Digg] [Facebook] [Google] [StumbleUpon]

Tags: ,

 

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses