Tool lets low-end PC crash much more powerful webserver
Hackers have released software that they say allows a single computer to knock servers offline by targeting a well-documented flaw in secure sockets layer implementations. A German group known as The Hacker's Choice released the tool on Monday, in part to bring attention to what they said were a series of long-running …
This topic is closed for new posts.
“The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century.”
So who are those sanctimonious jerks who probably know only how to wreck stuff and couldn't design anything secure if their life depended on it?
Like vandals claiming they be fightin' for the freedom of the working class.
Research needed
You should probably take a look at THC's history and projects before flaming them. This isn't the work of the latest round of skiddies to crawl out of the woodwork.
Grammar check
It should read 'Tools let low end PC....'. This wasn't the work of an individual
I for one don't care what their motives are - over the past months it has become abundantly clear that SSL in its current form is well past its use-by date, so the sooner it gets fixed or replaced the better.
Discovering and proving a flaw in a security product is a valuable service, IMO - unlike vandals, these guys haven't done any actual damage. By releasing the tool into the wild, this effectively forces developers to fix the hole ASAP, rather than sitting around pontificating about whether it's really important or not until it's used to do some serious damage.
I wonder if this will affect Google's apparent affection for SSL on everything - and if there's a botnet big enough to knock them offline using this technique, if they aren't already protected?
Workaround
Per the THC site:
"No real solutions exists. The following steps can mitigate (but not solve)
the problem:
1. Disable SSL-Renegotiation
2. Invest into SSL Accelerator
Either of these countermeasures can be circumventing by modifying
THC-SSL-DOS."
Surely then just limiting connection based upon src IP with renegotiation is a mitigation that can't be circumvented....unless you can spoof the traffic
This topic is closed for new posts.
