SSL Renegotiation Attack Becomes Real

Posted by kdawson on Monday November 16, 2009 @11:30AM from the laugh-a-while-you-can dept.

rastos1 and several other readers noted that the SSL vulnerability we discussed a couple of weeks back, which some researchers had claimed was too theoretical to worry about, has now been demonstrated by exploit. The attack description is available on securegoose.org. "A Turkish grad student has devised a serious, real-world attack on Twitter that targeted a recently discovered vulnerability in the SSL protocol. The exploit by Anil Kurmus is significant because it successfully targeted the so-called SSL renegotiation bug to steal Twitter login credentials that passed through encrypted data streams. All in all, a man in the middle is able to steal the credentials of a user authenticating himself through HTTPS to a trusted website."

3 of 97 comments (clear)

Min score:

Reason:

Sort:

Kinda bad summary by Virak · 2009-11-16 11:53 · Score: 5, Insightful

Important part of the article:

He did it by injecting text that instructed Twitter's application protocol interface to dump the contents of the web request into a Twitter message after they had been decrypted.
The only reason it was exploitable was because of Twitter's API. Understandably, I'm not too worried about the rest of the Internet going down in flames any time soon.
1. Re:Kinda bad summary by teh_commodore · 2009-11-16 11:58 · Score: 5, Insightful
  
  Oh good. We're totally fine. It only works on sites that are poorly designed. And Twitter's been patched, so that leaves, well, I guess no one.
  
  --
  --"insert clever quote here"
Re:Not worried, fixed already by Anonymous Coward · 2009-11-16 14:06 · Score: 5, Insightful

You are forgiven for the error. Anyone using a letter that could be mistaken for a number in any software version string should be cockpunched with brass knuckles coated in broken glass and lemon juice