https://pvaneynd.dreamwidth.org/ pvaneynd - Dreamwidth Studios Fri, 06 Nov 2009 06:21:43 GMT LiveJournal / Dreamwidth Studios pvaneynd personal https://v2.dreamwidth.org/7693145/447974 https://pvaneynd.dreamwidth.org/ 76 100 https://pvaneynd.dreamwidth.org/131516.html Fri, 06 Nov 2009 06:21:43 GMT https://pvaneynd.dreamwidth.org/131516.html They discovered a "Man In The Middle" attack again <a href="http://en.wikipedia.org/wiki/Transport_Layer_Security">TLS</a> (or the older SSL): during renegotiation one can insert data into the stream. See this excellent article for an <a href="http://www.sslshopper.com/article-ssl-and-tls-renegotiation-vulnerability-discovered.html">example</a>.<br /><br />The good part is that this requires that you can intercept the traffic between you and the server. The bad news is that this is relatively easy to do in many environments (public wifi, PC's on a hub/cheap switch etc). The <b>major</b> bad news is that this is not an implementation bug but an error in the specification, so expect <b>everybody who uses SSL/TLS</b> to be vulnerable and to update their products...<br /><br />Interesting times indeed.<br /><br /><img src="https://www.dreamwidth.org/tools/commentcount?user=pvaneynd&ditemid=131516" width="30" height="12" alt="comment count unavailable" style="vertical-align: middle;"/> comments https://pvaneynd.dreamwidth.org/131516.html security bouncy public 0