Engineers have signed off on a fix for a potentially serious vulnerability in the SSL, or secure sockets layer, protocol that secures email, web transactions and other types of sensitive internet traffic. The final draft updates the industry-wide specifications for SSL, which is also referred to as TLS, or transport layer …
Doesn't stop SSLstrip
Still running SSLstrip on my demo man in the middle box and those cleartext passwords such as twitter / gmail and facebook etc just keep on appearing in the log.
No sure if this is the vunrability they are talking about as SSLstrip has been included on Back track far before the claimed November discovery.
Paris because she loves stripping.
SSLstrip doesn't rely on any weakness in SSL. The attack operates on the non-SSL http session that occurs prior to the user clicking a link that will take them to an SSL protected session.
If I open a browser and type "https://gmail.com" SSLstrip won't be able do anything. If I go to "http://google.com" and click on the mail link then it might work, but it will do so by modifying the data I received in the initial, unencrypted connection.
For quite a large chunk, simply making the change and punting out those changes through the download channels to the various machines on auto update....
The real fun starts when you realise how many places, where we have all worked over the years, have that special machine! Year after year it sits quietly in the corner chugging away, no one ever dares touch it or Lord forbid, update the software. No one realy knows how it works. So it's usually about 5 years out of date, has so many security holes but is so important to the company that it's like tying down a battleship with huge chains, only to have the very last link made from play-doh!