Re: SSL/TLS broken?

[Dan Kaminsky <dan () doxpara com>]

It's a really interesting bug, one of the more elegant and difficult  
to fix in a while. But it's not the end of the world, or even SSL.  
We've done OK against worse bugs.



On Nov 9, 2009, at 6:50 PM, "Rob, grandpa of Ryan, Trevor, Devon &  
Hannah" <rMslade () shaw ca> wrote:

> Ummmm, are we missing something? As far as I can see, this affects  
> *any* kind
> of e-commerce, but I'm not seeing much discussion on it ...
>
> "A serious bug in the technology used to transfer information  
> securely on the
> Internet lies in the SSL protocol, best known as the technology used  
> for secure
> browsing on Web sites beginning with HTTPS.  The bug lets attackers  
> intercept
> secure SSL with a man-in- the-middle attack. Although the flaw can  
> only be
> exploited under certain circumstances, it could be used to hack into  
> servers in
> shared hosting environments, mail servers, databases, and many other  
> secure
> applications.  Further complicating matters is the fact that the bug  
> was
> inadvertently disclosed on an obscure mailing list on November 4,  
> forcing vendors
> into a mad scramble to patch their products. The issue was  
> discovered in August by
> researchers at PhoneFactor, a mobile-phone security company. They  
> had been
> working for the past two months with a consortium of technology  
> vendors called
> the ICASI (Industry Consortium for Advancement of Security on the  
> Internet) to
> coordinate an industry wide fix for the problem, dubbed “Project Mog 
> ul.” But their
> plans were thrown into disarray on November 4 when a SAP engineer  
> stumbled
> across the bug on his own. Apparently unaware of the seriousness of  
> the issue, he
> posted his observations on the issue to an IETF (Internet  
> Engineering Task Force)
> discussion list. It was then publicized by a security researcher. By  
> the afternoon of
> November 5, enough people were talking about the issue that  
> PhoneFactor decided
> to go public with their findings."
>
>
> http://www.computerworld.com/s/article/9140362/Scramble_on_to_fix_flaw_in_SS
> L_security_protocol
>
> ======================  (quote inserted randomly by Pegasus Mailer)
> rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
> Remember, Ginger Rogers did everything Fred Astaire did, but she
> did it backwards and in high heels.               - Faith Whittlesey
> victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/ 
> index.html
> http://blogs.securiteam.com/index.php/archives/author/p1/
> http://twitter.com/NoticeBored http://twitter.com/rslade
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.