Security Basics mailing list archives

RE: SSL protocol flaw, request for opinions

From: "Benjamin Meade" <ben () lanwest com au>
Date: Mon, 24 Feb 2003 16:43:07 +0800


Can't say I'm too worried about it.

(a) Its already been patched, and (b), the requirements for pulling off
this attack are high enough to dissuade all but the most determined
cracker. A sufficiently determined cracker will get into your system,
there is no way around it. What it comes down to is if a compromise is
going to cost your company x amount to fix (including lost downtime,
consumer confidence, lawsuits etc), then you spend that amount on
securing your system, and leave it at that.

Benjamin Meade
System Administrator
LanWest Pty Ltd 

-----Original Message-----
From: Juan Velasquez [mailto:juan () EvolutionH com] 
Sent: Friday, 21 February 2003 3:46 PM
To: jasonc () science org; security-basics () securityfocus com
Subject: SSL protocol flaw, request for opinions

I just read this story which explains how the Swiss Federal Institute of

Technology
exploited a flaw in the SSL protocol to hijack an 8 character password 
from a bunch of SSL encrypted email logins.
I was surprised. What does the security community think of this?

http://www.newscientist.com/news/news.jsp?id=ns99993420


-- 

Juan Velasquez
Juan () EvolutionhH com

Current thread:

SSL protocol flaw, request for opinions Juan Velasquez (Feb 22)
- Re: SSL protocol flaw, request for opinions Gayle Shipp (Feb 24)
- RE: SSL protocol flaw, request for opinions Benjamin Meade (Feb 24)
- Re: SSL protocol flaw, request for opinions Angelo Perniola (Feb 24)
- Re: SSL protocol flaw, request for opinions Naveen Maram (Feb 24)