Follow MaximumITBlips on TwitterBlog Reactions
terminal23: tls mitm attack initial thoughts
Netflash: Vendors scrambling to fix bug in Net's security
Hackers Center: A zero-day flaw in the TLS and SSL protocols, which are commonly used to encrypt web pages, has been made public.
Reactions
 |
Recently identified security issue of SSL/TLS/HTTPS http://bit.ly/YjmZh can be used for a real world attack scenario http://bit.ly/315Gs8 4 days ago |
 |
If you care about Internet Security, keep an eye on this one: http://extendedsubset.com/?p=8 #SECURITY 8 days ago |
 |
RT @bortzmeyer End of the wolrd: do not wait 2012, exploit a TLS flaw http://extendedsubset.com/?p=8 8 days ago |
tls mitm attack initial thoughts
terminal23 —
Saw this first shoot out on Twitter at the end of my workday, but without any details, I simply made a mental note to keep an eye out. Sooner than expected, further details on this TLS MITM attack have surfaced. ...
Vendors scrambling to fix bug in Net's security
Netflash —
... by security researcher HD Moore. By Wednesday afternoon, enough people were talking about the issue that PhoneFactor decided to go public with their findings. "At that point we felt like the bad guys knew and we felt we had a responsibility for the good guys to know too," said Sarah Fender, PhoneFactor's vice president of marketing. Fender couldn't say who was ready to patch the issue, but she noted that a number of open source products are "anxious" to push out a patch. "I think we'll see some patching in the near future," she said. The IDG News Service is a Network ...
A zero-day flaw in the TLS and SSL protocols, which are commonly used to encrypt web pages, has been made public.
Hackers Center —
Security researchers Marsh Ray and Steve Dispensa unveiled the TLS (Transport Layer Security) flaw on Wednesday, following the disclosure of separate, but similar, security findings. TLS and its predecessor, SSL (Secure Sockets Layer), are typically used by online retailers and banks to provide security for web transactions. Ray, who along with Dispensa works for two-factor authentication company PhoneFactor, explained in a blog post on Thursday that he had initially discovered the flaw in August, and demonstrated a working exploit to Dispensa at the beginning of September. ...
SSL and TLS Authentication Gap vulnerability discovered
Ivan Ristić —
... Marsh Ray's blog post (Marsh discovered the problem a couple of months ago) contains a detailed description of the problems in the attachment. ...
Generic Attack on SSL, TLS Exposed
Security Watch —
... , identified the problem some months ago. As he explains in his blog, he was working confidentially with industry and standards groups to identify the best way to proceed. Then the first public discussion came, coincidentally, ...
A zero-day flaw in the TLS and SSL protocols, which are commonly used to encrypt web pages, has been made public.
Hackers Center Blogs —
Security researchers Marsh Ray and Steve Dispensa unveiled the TLS (Transport Layer Security) flaw on Wednesday, following the disclosure of separate, but similar, security findings. TLS and its predecessor, SSL (Secure Sockets Layer), are typically used by online retailers and banks to provide security for web transactions. Ray, who along with Dispensa works for two-factor authentication company PhoneFactor, explained in a blog post on Thursday that he had initially discovered the flaw in August, and demonstrated a working exploit to Dispensa at the beginning of September. ...
Interesting Information Security Bits for 11/05/2009
Infosec Ramblings —
... humor )
Here is the mother lode of cheat sheets. Focused on developers, but there are a few that are security related.
Cheat Sheet and Quick Reference Card Directory | devcheatsheet.com – Cheat Sheets for Developers.
Tags: ( cheatsheet )
This is the author’s page regarding the SSL/TLS vulnerability just announced. It was a bit more reader friendly and promises to be so again, but the information is still there.
extendedsubset.com
Tags: ( tls ssl vulnerability ) ...
Friday Summary - November 6, 2009
Security Bloggers Network —
... Password in the Cloud.
Shimmy … Solo.
OK, it’s finance, not security, but to echo Gunnar Peterson’s post, here is a ridiculously good interview with Charlie Munger. The video actually got me to change several long held opinions regarding the current financial crisis in an elegant and disarming way.
Cross-subdomain Cookie Attacks.
Man Sues Over Leaky Baby Monitor.
…and obviously: Renegotiating TLS.
Blog Comment of the Week
This week’s best comment ...
When Renegotiation is a Bad Thing: MITM Attacks on SSLv3/TLS Protocol
Speaking of Security, the RSA Blog and Podcast —
... the same byte code in the TLS protocol. The original SSLv3 specification should have used different byte codes for these two messages. The two messages are identical, but are used in different places in the handshake. Future protocol designers should remember to allocate message identifiers to indicate the use of a message, not its structure. So, now that I've briefly described the protocol attack, how does this apply to applications? In the case of HTTPS, an ingenious attack was proposed by security researcher Ray Marsh where the MITM sends an initial HTTP request, but ...
