Case Closed: SSL/TLS Authentication Gap
It was one year ago this week that I began in earnest a coding project to prove or disprove my suspicion of an exploitable weakness in TLS renegotiation. I fully expected to fail in this endeavor as this protocol was generally regarded as having stood the test of time. Even after I had a working [...]
Implications of the Twitter attack using the SSL gap
When we released the SSL authentication gap details a couple of weeks ago, I was convinced that this was a serious issue that needed immediate attention. Although most everyone agreed, there were a few commentators out there that weren’t as concerned about the problem as I was. Well, fast-forward a few days, and the situation [...]
PhoneFactor Team Discovers Vulnerability in SSL Authentication
Earlier this week, PhoneFactor released the details of a serious vulnerability in SSL/TLS authentication, which was discovered by PhoneFactor team members Marsh Ray and Steve Dispensa in August 2009. The SSL authentication gap allows for a standard man-in-the-middle attack in which an attacker is able to inject malicious data and commands into the authenticated SSL [...]
