Post Reply 
Major Vulnerability in TLS and SSL authentication enables MITM attack
Nov. 06, 2009, 10:26 PM
Post: #1
Major Vulnerability in TLS and SSL authentication enables MITM attack
U.S. software developer Ray Marsh of PhoneFactor has published a vulnerability in the Transport Layer Security protocol.
This would allow man-in-the-middle attacks on connections secured with SSL:

http://www.phonefactor.com/sslgap

http://extendedsubset.com/?p=8

http://www.ietf.org/mail-archive/web/tls...03928.html

http://www.educatedguesswork.org/2009/11...egoti.html

In the meantime, OpenSSL have released version 0.9.81 to mitigate:
http://www.openssl.org/news/
Changes between 0.9.8k and 0.9.8l [5 Nov 2009]
*) Disable renegotiation completely - this fixes a severe security
problem (CVE-2009-3555) at the cost of breaking all
renegotiation. Renegotiation can be re-enabled by setting
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
run-time. This is really not recommended unless you know what
you're doing.
[Ben Laurie]

The developers of GNU TLS have announced a patch, current version GnuTLS 2.8.5 does not include this repair yet.
http://www.gnu.org/software/gnutls/news.html
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: