Domain: educatedguesswork.org
Stories and comments across the archive that link to educatedguesswork.org.
Comments · 10
-
Re:Completely useless...
Don't forget the symmetric may change several times in a course of an TLS session. It is called renegotiation. It was made to make things more secure than a single symmetric key but funnily enough, it got exploited...
https://tools.ietf.org/html/rfc5746
http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html
http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#SECURE_RENEGOTIATION
-
Re:Microsoft is correct
Microsoft's proposal is more flexible, stateless, simpler to implement, and is more "web-ish"
Sounds a bit like you've bought into Microsoft's claims a little too soon.
-
I'm the guy who found CVE-2009-3555 renego bug
This is not a bug. We fixed renegotiation with the RFC 5746 RI extension! That said, SSL has long been known to impose more work on the server than on the client and renegotiations are no different than initial handshakes in this respect.
Servers that accept client-initiated renegotiation make things slightly more efficient for the DoS attacker, it saves him maybe three packets. More significantly, it may bypass mitigations that are only looking for TCP SYN packets. But the attacker's mileage will vary.
Eric Rescorla (SSL/TLS RFC author) has a good blog post about the issue. http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html
-
Analysis of this from TLS WG Chair
Good analysis of this at
http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.htmlAs far as I can tell, Rescorla is trying to polity say this attack is crap. Shocking, yet another low grade hack trying to up publicity.
-
Good explanation of the bug by TLS spec author
A good source of info about what this attack is and how serious it is can be found at
http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html -
Educated Guesswork link with explanation
I think this blog site explains best:
http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html
-
Re:America's unjust sex lawsThe Science of Fear by Daniel Gartner talks about this at length, especially an interesting statistic that keeps getting repeated:
"at any given time, 50,000 predators are on the Internet prowling for children."
In this case, cited by Alberto Gonzalez, who references Dateline as his source. This statistic is incredibly spurious, and everyone here on Slashdot should understand why.
Sex offenders are real, but the debate is particularly muddied by misinformation. -
This is nothing new
Have you ever heard of an alcohol vaporizer? Minimal hangover, fast onset of effects, and reduced health risk compared to excessive drinking. All the properties of this proposed "synthahol". Unfortunately, this is how we celebrate innovation in our society. So I wouldn't hold out hope for whatever this guy creates staying legal for too long...
-
Wow, it took a whole FOUR DAYS...
Any way, in this particular case auto-running content is not exploited anyway.
But it is in this one.
Wow, it took a whole four days before the next "Open safe files" exploit.
HELLO, APPLE, CAN YOU GET THE HINT THIS TIME? -
THAT DIDN'T TAKE LONG
Safari will not automatically open things anyway, and will ask you before decompressing anything with an executable in it.
Oh, Really?
Yes I can bloody well say "I told you so".