Follow MaximumITBlips on TwitterBlog Reactions
Hackers Center: A zero-day flaw in the TLS and SSL protocols, which are commonly used to encrypt web pages, has been made public.
Ivan Ristić: SSL and TLS Authentication Gap vulnerability discovered
Reactions
 |
neat MITM attack against TLS connections to MS IIS servers: http://bit.ly/4ciSN0 13 days ago |
 |
This is a little beyond me but it does look scary. ♺ @ioerror: Awesome new #TLS/SSLv3 protocol attack: http://is.gd/4Nxni http://is.gd/4NxnN 14 days ago |
 |
Scramble on to fix flaw in SSL security protocol http://bit.ly/40i0e http://bit.ly/4ciSN0 14 days ago |
A zero-day flaw in the TLS and SSL protocols, which are commonly used to encrypt web pages, has been made public.
Hackers Center —
... as a preliminary solution. Ray said in his blog that he expected to see announcements from the multi-vendor collaboration "shortly", including an internet draft proposal for the fix. At the September meeting, Ray and Dispensa were informed about research being done by the IETF TLS Channel Bindings working group, which was following a similar line of inquiry into the TLS protocol. On Wednesday, Martin Rex, a member of the IETF TLS Channel Bindings working group and researcher at SAP, published a man-in-the-middle TLS renegotiation flaw in Microsoft IIS. The flaw, which is ...
SSL and TLS Authentication Gap vulnerability discovered
Ivan Ristić —
... advice can help the bypass of the client certificate authentication, though.
If you can, monitor all connections that make use of the renegotiation feature. That won't help you if renegotiation is an integral feature of your web site, but it may do if it is rarely used.
Further information:
Marsh Ray's blog post (Marsh discovered the problem a couple of months ago) contains a detailed description of the problems in the attachment.
The post by Martin Rex to the TLS mailing list that prompted public disclosure. ...
Generic Attack on SSL, TLS Exposed
Security Watch —
... . Then the first public discussion came, coincidentally, from Martin Rex of SAP on the IETF's TLS mailing list. Rex identified it as a problem specific, as far as he knew, to Microsoft's IIS, but he was on to the problem. ...
Yet Another SSL/TLS Vulnerability Released
...Application Security... —
... do rely on client side certificates for two-factor authentication. These groups should take notice and start preparing to implement any fixes when they are available. According to the Register article, this issue has been known since September and key players have been working to develop a solution. A new proposal is expected to be submitted to IETF today. Here are the links so far. Anyone out there have any more info at this time? Register Article Martin Rex Related Security Research & Response -Michael Coates ...
A zero-day flaw in the TLS and SSL protocols, which are commonly used to encrypt web pages, has been made public.
Hackers Center Blogs —
... as a preliminary solution. Ray said in his blog that he expected to see announcements from the multi-vendor collaboration "shortly", including an internet draft proposal for the fix. At the September meeting, Ray and Dispensa were informed about research being done by the IETF TLS Channel Bindings working group, which was following a similar line of inquiry into the TLS protocol. On Wednesday, Martin Rex, a member of the IETF TLS Channel Bindings working group and researcher at SAP, published a man-in-the-middle TLS renegotiation flaw in Microsoft IIS. The flaw, which is ...
TLS negotiation flaw published
CGISecurity - Website and Application Security News —
Steve Dispensa and Marsh Ray have published a paper describing a weakness in the TLS negotiation process. This is the same attack discussed on the IETF TLS list . From the whitepaper"Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle (MITM) attacks related to renegotiation. In general, these problems allow an MITM to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream, leading to a variety of abuse possibilities. In particular, practical attacks ...
