funsec mailing list archives
Re: So maybe the SSL bug is a non-issue ...
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Tue, 17 Nov 2009 18:45:52 -0500
(It sounds as if this exploit is system specific, and obvious unless
behind a client, but even so ...) Tim Callan of VeriSign pointed this out on his blog: https://blogs.verisign.com/ssl-blog/2009/11/more_on_the_ssl_renegotiatio n.php The command inserted was in fact an exploit of "...a vulnerability in Twitter's API that allows it to command Twitter to publish the credentials of the currently active account. And of course the currently active account by definition is the same as the one operated by the site visitor who owns this session." Without this other vulnerability (which I think Twitter has fixed already) what could you do in a Twitter SSL session? I guess you could tweet, follow, etc. I don't know enough about the vocabulary of the API to know if you can do that on the current session without a handle of some kind. Larry Seltzer Contributing Editor, PC Magazine larry_seltzer () ziffdavis com http://blogs.pcmag.com/securitywatch/ -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Rob, grandpa of Ryan, Trevor, Devon & Hannah Sent: Tuesday, November 17, 2009 4:37 PM To: funsec () linuxbox org Subject: [funsec] So maybe the SSL bug is a non-issue ... and then again, maybe it's not ... More on the SSL/TLS renegotiation vulnerability - Twitter exploit http://bit.ly/2BDGBu (The Register) http://www.theregister.co.uk/2009/11/14/ssl_renegotiation_bug_exploited/ (It sounds as if this exploit is system specific, and obvious unless behind a client, but even so ...) ====================== (quote inserted randomly by Pegasus Mailer) rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org There is a theory which states that if ever anybody discovers exactly what the Universe is for and why it is here, it will instantly disappear and be replaced by something even more bizarre and inexplicable. There is another theory which states that this has already happened. - Douglas Adams victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/NoticeBored http://twitter.com/rslade _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- So maybe the SSL bug is a non-issue ... Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 17)
- Re: So maybe the SSL bug is a non-issue ... Larry Seltzer (Nov 17)