Case Closed: SSL/TLS Authentication Gap
It was one year ago this week that I began in earnest a coding project to prove or disprove my suspicion of an exploitable weakness in TLS renegotiation. I fully expected to fail in this endeavor as this protocol was generally regarded as having stood the test of time. Even after I had a working [...]
Steve Dispensa and Marsh Ray to Present ShmooCon 2010 Keynote
PhoneFactor CTO Steve Dispensa and Sr. Software Engineer Marsh Ray are headed to DC this week where they will be presenting the keynote address at the ShmooCon conference. The keynote Closing the TLS Authentication Gap will detail the technical aspects of the SSL/TLS authentication vulnerability they made public last fall and the story behind the [...]
Implications of the Twitter attack using the SSL gap
When we released the SSL authentication gap details a couple of weeks ago, I was convinced that this was a serious issue that needed immediate attention. Although most everyone agreed, there were a few commentators out there that weren’t as concerned about the problem as I was. Well, fast-forward a few days, and the situation [...]
PhoneFactor Team Discovers Vulnerability in SSL Authentication
Earlier this week, PhoneFactor released the details of a serious vulnerability in SSL/TLS authentication, which was discovered by PhoneFactor team members Marsh Ray and Steve Dispensa in August 2009. The SSL authentication gap allows for a standard man-in-the-middle attack in which an attacker is able to inject malicious data and commands into the authenticated SSL [...]
