funsec mailing list archives
Re: SSL/TLS broken?
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Tue, 10 Nov 2009 15:01:27 -0500
IBM: You can relax about the SSL break, mostly. http://blogs.iss.net/archive/sslmitmiscsrf.html Larry Seltzer Contributing Editor, PC Magazine larry_seltzer () ziffdavis com http://blogs.pcmag.com/securitywatch/ -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Rob, grandpa of Ryan, Trevor, Devon & Hannah Sent: Monday, November 09, 2009 6:51 PM To: funsec () linuxbox org Subject: [funsec] SSL/TLS broken? Ummmm, are we missing something? As far as I can see, this affects *any* kind of e-commerce, but I'm not seeing much discussion on it ... "A serious bug in the technology used to transfer information securely on the Internet lies in the SSL protocol, best known as the technology used for secure browsing on Web sites beginning with HTTPS. The bug lets attackers intercept secure SSL with a man-in- the-middle attack. Although the flaw can only be exploited under certain circumstances, it could be used to hack into servers in shared hosting environments, mail servers, databases, and many other secure applications. Further complicating matters is the fact that the bug was inadvertently disclosed on an obscure mailing list on November 4, forcing vendors into a mad scramble to patch their products. The issue was discovered in August by researchers at PhoneFactor, a mobile-phone security company. They had been working for the past two months with a consortium of technology vendors called the ICASI (Industry Consortium for Advancement of Security on the Internet) to coordinate an industry wide fix for the problem, dubbed "Project Mogul." But their plans were thrown into disarray on November 4 when a SAP engineer stumbled across the bug on his own. Apparently unaware of the seriousness of the issue, he posted his observations on the issue to an IETF (Internet Engineering Task Force) discussion list. It was then publicized by a security researcher. By the afternoon of November 5, enough people were talking about the issue that PhoneFactor decided to go public with their findings." http://www.computerworld.com/s/article/9140362/Scramble_on_to_fix_flaw_i n_SS L_security_protocol ====================== (quote inserted randomly by Pegasus Mailer) rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org Remember, Ginger Rogers did everything Fred Astaire did, but she did it backwards and in high heels. - Faith Whittlesey victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/NoticeBored http://twitter.com/rslade _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- SSL/TLS broken? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 09)
- Re: SSL/TLS broken? Dan Kaminsky (Nov 09)
- Re: SSL/TLS broken? Valdis . Kletnieks (Nov 09)
- Re: SSL/TLS broken? Dan Kaminsky (Nov 09)
- Re: SSL/TLS broken? Toralv_Dirro (Nov 10)
- Re: SSL/TLS broken? Buhrmaster, Gary (Nov 10)
- Re: SSL/TLS broken? Dan Kaminsky (Nov 09)
- Re: SSL/TLS broken? Larry Seltzer (Nov 10)