New DoS tool from THC: Another overhyped threat

[InfoSec News <alerts () infosecnews org>]

http://www.infoworld.com/t/security/new-dos-tool-thc-another-overhyped-threat-177167

By Woody Leonhard
InfoWorld
October 26, 2011

If you have a site that uses SSL encryption, right now might be a good 
time to find out if the site supports automatic SSL Renegotiation.

But the sky isn't falling, despite what you may have read. Yes, a German 
hacker group known as THC (The Hacker's Choice) has just released 
THC-SSL-DoS, which can bring down an HTTPS site with a DoS attack using 
an ordinary laptop -- but only if that site has SSL Renegotation turned 
on.

Most HTTPS sites already have SSL Renegotation turned off, so they 
aren't vulnerable. Apache 2.2.14, IIS 7.0, and OpenSSL 0.9.8l and 
earlier all shipped with SSL Renegotiation enabled by default, making 
them potential targets. If you have newer versions, SSL Renegotiation is 
disabled by default. An admin might've changed the setting, though, so 
it wouldn't hurt to make sure SSL Renegotiation is turned off.

Here's the whole story.

[...]


_____________________________________________________
Subscribe to InfoSec News - www.infosecnews.org
http://www.infosecnews.org/mailman/listinfo/isn