![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
usable attack against https found
Nov. 6th, 2009 07:04 amThey discovered a "Man In The Middle" attack again TLS (or the older SSL): during renegotiation one can insert data into the stream. See this excellent article for an example.
The good part is that this requires that you can intercept the traffic between you and the server. The bad news is that this is relatively easy to do in many environments (public wifi, PC's on a hub/cheap switch etc). The major bad news is that this is not an implementation bug but an error in the specification, so expect everybody who uses SSL/TLS to be vulnerable and to update their products...
Interesting times indeed.
The good part is that this requires that you can intercept the traffic between you and the server. The bad news is that this is relatively easy to do in many environments (public wifi, PC's on a hub/cheap switch etc). The major bad news is that this is not an implementation bug but an error in the specification, so expect everybody who uses SSL/TLS to be vulnerable and to update their products...
Interesting times indeed.
