From the
‘
Not a Hoax
‘
files:
SSL is of critical importance to all web users as the most commonly used method for securing websites. There is now a new publicly posted exploit technique available for SSL that takes advantage of a renegotiation flaw with TLS <DEFINE:TLS>.
As a proof of concept, security researcher Anil Kurmas has blogged about how TLS/SSL renegotiation can be used to exploit Twitter’s HTTPS (that is SSL secured) API.
“All in all, a man in the middle is able to steal the credentials of a
user authenticating himself through HTTPS to a trusted website, and
CSRF protections do not apply here,” Kurmas wrote.
This is extremely serious and in my opinion represents perhaps the single biggest threat to the integrity of the Internet today. Without SSL, ecommerce becomes insecure and the vast majority of the web’s population cannot login securely to any website.
Sure there have been SSL threats before.
Most notably, I’ve seen security researcher Moxie Marlinspike present his ideas at Black Hat on SSLstrip in February, then again in July. Marlinspike however wasn’t directly attacking SSL itself, though. His attacks involved a man in the middle type attack as well, but where a regular HTTP user is tricked into thinking they are actually on an HTTPS (SSL) protected site.
The new attack (if I understand it correctly) actually intercepts legitimate HTTPS traffic. It’s a subtle but very significant difference.