funsec mailing list archives

Previous By Date Next
Previous By Thread Next

SSL/TLS broken?

From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade () shaw ca>
Date: Mon, 9 Nov 2009 15:50:40 -0800
Ummmm, are we missing something?  As far as I can see, this affects *any* kind 
of e-commerce, but I'm not seeing much discussion on it ...

"A serious bug in the technology used to transfer information securely on the 
Internet lies in the SSL protocol, best known as the technology used for secure 
browsing on Web sites beginning with HTTPS.  The bug lets attackers intercept 
secure SSL with a man-in- the-middle attack. Although the flaw can only be 
exploited under certain circumstances, it could be used to hack into servers in 
shared hosting environments, mail servers, databases, and many other secure 
applications.  Further complicating matters is the fact that the bug was 
inadvertently disclosed on an obscure mailing list on November 4, forcing vendors 
into a mad scramble to patch their products. The issue was discovered in August by 
researchers at PhoneFactor, a mobile-phone security company. They had been 
working for the past two months with a consortium of technology vendors called 
the ICASI (Industry Consortium for Advancement of Security on the Internet) to 
coordinate an industry wide fix for the problem, dubbed “Project Mogul.” But their 
plans were thrown into disarray on November 4 when a SAP engineer stumbled 
across the bug on his own. Apparently unaware of the seriousness of the issue, he 
posted his observations on the issue to an IETF (Internet Engineering Task Force) 
discussion list. It was then publicized by a security researcher. By the afternoon of 
November 5, enough people were talking about the issue that PhoneFactor decided 
to go public with their findings."


http://www.computerworld.com/s/article/9140362/Scramble_on_to_fix_flaw_in_SS
L_security_protocol 

======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
Remember, Ginger Rogers did everything Fred Astaire did, but she
did it backwards and in high heels.               - Faith Whittlesey
victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/NoticeBored http://twitter.com/rslade

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: