A Turkish grad student has devised a serious, real-world attack on Twitter that targeted a recently discovered vulnerability in the secure sockets layer protocol. The exploit by Anil Kurmus is significant because it successfully targeted the so-called SSL renegotiation bug to steal Twitter login credentials that passed through …
At present "fixes" can only disable renegotiation by brute force. This can cause major problems with some websites but is the best that can be done for the moment. A standard which fully addresses this issue is still at the draft stage and being discussed. Unreleased (but publicly available) versions of OpenSSL implement the current draft standard.
This is Why I Now Always Use Server-Based Sessions
1 Login, then a constantly-changing SESSION_ID.
Makes hacking a wee bit more difficult, although hackers are smart. I have no illusions that they will never be able to crack these (especially if I write stupid server code).
What is halfway between twat and shitter?
Why does twitter renegotiate?
I really thought that re-negotiation was a rare phenomenon, and that this attack was hard to pull off without some way to force a renegotiation to occur, or a site that specifically uses it for either client certificate authentication (unusual) or multiple different crypto levels for different parts of a site (totally unnecessary).
David, this may be because a lot of these things are run by script kiddies.
One world twitters, One Turk twiddles, One site becomes twaddle!
- Updated Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
- Elon Musk's LEAKY THRUSTER gas stalls Space Station supply run
- Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Android engineer: We DIDN'T copy Apple OR follow Samsung's orders