Hackers have released software that they say allows a single computer to knock servers offline by targeting a well-documented flaw in secure sockets layer implementations. A German group known as The Hacker's Choice released the tool on Monday, in part to bring attention to what they said were a series of long-running …
“The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century.”
So who are those sanctimonious jerks who probably know only how to wreck stuff and couldn't design anything secure if their life depended on it?
Like vandals claiming they be fightin' for the freedom of the working class.
You should probably take a look at THC's history and projects before flaming them. This isn't the work of the latest round of skiddies to crawl out of the woodwork.
Well they definitely behave that way.
It should read 'Tools let low end PC....'. This wasn't the work of an individual
I for one don't care what their motives are - over the past months it has become abundantly clear that SSL in its current form is well past its use-by date, so the sooner it gets fixed or replaced the better.
Discovering and proving a flaw in a security product is a valuable service, IMO - unlike vandals, these guys haven't done any actual damage. By releasing the tool into the wild, this effectively forces developers to fix the hole ASAP, rather than sitting around pontificating about whether it's really important or not until it's used to do some serious damage.
I wonder if this will affect Google's apparent affection for SSL on everything - and if there's a botnet big enough to knock them offline using this technique, if they aren't already protected?
Per the THC site:
"No real solutions exists. The following steps can mitigate (but not solve)
1. Disable SSL-Renegotiation
2. Invest into SSL Accelerator
Either of these countermeasures can be circumventing by modifying
Surely then just limiting connection based upon src IP with renegotiation is a mitigation that can't be circumvented....unless you can spoof the traffic
- Review Is it an iPad? Is it a MacBook Air? No, it's a Surface Pro 3
- Game Theory The agony and ecstasy of SteamOS: WHERE ARE MY GAMES?
- Hello, police, El Reg here. Are we a bunch of terrorists now?
- Microsoft and HTC are M8s again: New One mobe sports WinPhone
- Worstall on Wednesday Wall Street woes: Oh noes, tech titans aren't using bankers