A Turkish grad student has devised a serious, real-world attack on Twitter that targeted a recently discovered vulnerability in the secure sockets layer protocol. The exploit by Anil Kurmus is significant because it successfully targeted the so-called SSL renegotiation bug to steal Twitter login credentials that passed through …
At present "fixes" can only disable renegotiation by brute force. This can cause major problems with some websites but is the best that can be done for the moment. A standard which fully addresses this issue is still at the draft stage and being discussed. Unreleased (but publicly available) versions of OpenSSL implement the current draft standard.
This is Why I Now Always Use Server-Based Sessions
1 Login, then a constantly-changing SESSION_ID.
Makes hacking a wee bit more difficult, although hackers are smart. I have no illusions that they will never be able to crack these (especially if I write stupid server code).
What is halfway between twat and shitter?
Why does twitter renegotiate?
I really thought that re-negotiation was a rare phenomenon, and that this attack was hard to pull off without some way to force a renegotiation to occur, or a site that specifically uses it for either client certificate authentication (unusual) or multiple different crypto levels for different parts of a site (totally unnecessary).
David, this may be because a lot of these things are run by script kiddies.
One world twitters, One Turk twiddles, One site becomes twaddle!
- Updated Hidden network packet sniffer in MILLIONS of iPhones, iPads – expert
- Students hack Tesla Model S, make all its doors pop open IN MOTION
- RISE of the Jesus Phone MOUNTAIN: Apple orders 80 MILLION 'Air' iPhone 6s
- BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
- PROOF the Apple iPhone 6 rumor mill hype-gasm has reached its logical conclusion