Major Vulnerability in TLS and SSL authentication enables MITM attack
|
Nov. 06, 2009, 10:26 PM
Post: #1
|
|||
|
|||
Major Vulnerability in TLS and SSL authentication enables MITM attack
U.S. software developer Ray Marsh of PhoneFactor has published a vulnerability in the Transport Layer Security protocol.
This would allow man-in-the-middle attacks on connections secured with SSL: http://www.phonefactor.com/sslgap http://extendedsubset.com/?p=8 http://www.ietf.org/mail-archive/web/tls...03928.html http://www.educatedguesswork.org/2009/11...egoti.html In the meantime, OpenSSL have released version 0.9.81 to mitigate: http://www.openssl.org/news/ Changes between 0.9.8k and 0.9.8l [5 Nov 2009] *) Disable renegotiation completely - this fixes a severe security problem (CVE-2009-3555) at the cost of breaking all renegotiation. Renegotiation can be re-enabled by setting SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at run-time. This is really not recommended unless you know what you're doing. [Ben Laurie] The developers of GNU TLS have announced a patch, current version GnuTLS 2.8.5 does not include this repair yet. http://www.gnu.org/software/gnutls/news.html |
|||
« Next Oldest | Next Newest »
|