A Turkish grad student has devised a serious, real-world attack on Twitter that targeted a recently discovered vulnerability in the secure sockets layer protocol. The exploit by Anil Kurmus is significant because it successfully targeted the so-called SSL renegotiation bug to steal Twitter login credentials that passed through …
At present "fixes" can only disable renegotiation by brute force. This can cause major problems with some websites but is the best that can be done for the moment. A standard which fully addresses this issue is still at the draft stage and being discussed. Unreleased (but publicly available) versions of OpenSSL implement the current draft standard.
This is Why I Now Always Use Server-Based Sessions
1 Login, then a constantly-changing SESSION_ID.
Makes hacking a wee bit more difficult, although hackers are smart. I have no illusions that they will never be able to crack these (especially if I write stupid server code).
What is halfway between twat and shitter?
Why does twitter renegotiate?
I really thought that re-negotiation was a rare phenomenon, and that this attack was hard to pull off without some way to force a renegotiation to occur, or a site that specifically uses it for either client certificate authentication (unusual) or multiple different crypto levels for different parts of a site (totally unnecessary).
David, this may be because a lot of these things are run by script kiddies.
One world twitters, One Turk twiddles, One site becomes twaddle!
- +Comment 'Private Facebook' Ello: There's a REASON we're still in beta. SPAMGASM!
- NASA rover Curiosity drills HOLE in MARS 'GOLF COURSE'
- WHY did Sunday Mirror stoop to slurping selfies for smut sting?
- Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
- Shellshock: 'Larger scale attack' on its way, warn securo-bods