[foaf-protocols] Security hole in SSL/TSL
Peter Williams
home_pw at msn.com
Sun Nov 15 17:57:12 CET 2009
Still no evidence that any ssl countermeasure was compromised. To the
contrary, the protected-payload (2layer internal ssl) architecture
shows it's class.
You could argue that https had been broken (again) though, since the
attacker is leveraging the hypermedia and http properties specific to
https.
I've whined for years that folks have far too a simplistic mental
model of https (differentiated from ssl).
If lowassurance https endpoint implementations handle payloads on the
tcp or record layer bearer other than those offering https-specific
protections, expect vulnerabilities.
On Nov 15, 2009, at 8:41 AM, Melvin Carvalho
<melvincarvalho at gmail.com> wrote:
> On Thu, Nov 5, 2009 at 3:35 PM, Simon Reinhardt
> <simon.reinhardt at koeln.de> wrote:
>> Hi
>>
>> Just a quick heads up:
>>
>> http://extendedsubset.com/?p=8
>> http://www.links.org/?p=780
>> http://www.ietf.org/mail-archive/web/tls/current/msg03928.html
>>
>> Seems like there is a design flaw in SSL/TSL which leads to a major
>> security risk.
>
> Indeed
>
> http://www.theregister.co.uk/2009/11/14/ssl_renegotiation_bug_exploited/
>
> successfully targeted the so-called SSL renegotiation bug to steal
> Twitter login credentials that passed through encrypted data streams
>
>>
>> Regards,
>> Simon
>> _______________________________________________
>> foaf-protocols mailing list
>> foaf-protocols at lists.foaf-project.org
>> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
>>
> _______________________________________________
> foaf-protocols mailing list
> foaf-protocols at lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
>
More information about the foaf-protocols
mailing list