Reports of a successful exploit of the SSL Renegotiation Vulnerability?

Published: 2009-11-16. Last Updated: 2009-11-16 02:49:31 UTC
by G. N. White (Version: 1)
1 comment(s)

Its a brand new week...  and what a way to start off a brand new week with a report of someone sucessfully exploiting the SSL Renegotiation Vulnerability against a rather "popular" Internet property.

Read all about it here.

G.N. White

ISC Handler on Duty

 

1 comment(s)

Comments

Data between the client and the real server remains encrypted in transit during the attack, but the Man-In-The-Middle can prepend the HTTP request with arbitrary data. To me, it sounded difficult to exploit, and that a sensibly-designed web app would be safe.

But the nature of the vulnerability reported today sounds akin to an XSS or XSRF vulnerability; 'popular' (haha) sites including twitter seem to be riddled with them though.

Maybe there will be similar flaws uncovered in popular off-the-shelf apps like CMSes too, so it's worth being prepared for; patch your servers for the renegotiation vulnerability as soon as it's viable.

Diary Archives