Man-In-the-Middle Vulnerability For SSL and TLS

Posted by Soulskill on Thursday November 5, 2009 @02:23AM from the alphabet-soup dept.

imbaczek writes "The SSL 3.0+ and TLS 1.0+ protocols are vulnerable to a set of related attacks which allow a man-in-the-middle (MITM) operating at or below the TCP layer to inject a chosen plaintext prefix into the encrypted data stream, often without detection by either end of the connection. This is possible because an 'authentication gap' exists during the renegotiation process, at which the MitM may splice together disparate TLS connections in a completely standards-compliant way. This represents a serious security defect for many or all protocols which run on top of TLS, including HTTPS."

1 of 170 comments (clear)

Min score:

Reason:

Sort:

Re:Wrong Impression? by John+Hasler · 2009-11-05 03:55 · Score: 5, Insightful

You pay money to certificate providers so that your customers won't be frightened away by scary browser warnings.

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.