Information Security News mailing list archives
New DoS tool from THC: Another overhyped threat
From: InfoSec News <alerts () infosecnews org>
Date: Thu, 27 Oct 2011 00:48:00 -0500 (CDT)
http://www.infoworld.com/t/security/new-dos-tool-thc-another-overhyped-threat-177167 By Woody Leonhard InfoWorld October 26, 2011If you have a site that uses SSL encryption, right now might be a good time to find out if the site supports automatic SSL Renegotiation.
But the sky isn't falling, despite what you may have read. Yes, a German hacker group known as THC (The Hacker's Choice) has just released THC-SSL-DoS, which can bring down an HTTPS site with a DoS attack using an ordinary laptop -- but only if that site has SSL Renegotation turned on.
Most HTTPS sites already have SSL Renegotation turned off, so they aren't vulnerable. Apache 2.2.14, IIS 7.0, and OpenSSL 0.9.8l and earlier all shipped with SSL Renegotiation enabled by default, making them potential targets. If you have newer versions, SSL Renegotiation is disabled by default. An admin might've changed the setting, though, so it wouldn't hurt to make sure SSL Renegotiation is turned off.
Here's the whole story. [...] _____________________________________________________ Subscribe to InfoSec News - www.infosecnews.org http://www.infosecnews.org/mailman/listinfo/isn
Current thread:
- New DoS tool from THC: Another overhyped threat InfoSec News (Oct 26)