• New SSL Issues = New SSL Attacks

    You might remember the article I wrote a couple of weeks back regarding the then recently found vulnerabilities of SSL 3.0 (TLS 1.0). Well, things just got real.

    At the time, some researchers even went so far as to say that the vulnerability was only theoretical! Too theoretical to even worry about. The attack is described in detail:

    It appears that the popular micro-blogging site Twitter first fell victim to the attack. The Register has the full story:

    Now that the attack is in the wild, where are the patches?

    At the time of publishing, here is where everyone is:

    Open SSL

    • Workaround – Removes Renegotiation (OpenSSL 0.9.8l): Limited Public Availability
    • Fix (OpenSSL 0.9.8m): Code Undergoing Initial Testing

    Microsoft

    • IIS, SChannel, Internet Explorer: Interoperability Testing in Progress
    • IIS6 and 7: Not Vulnerable to Client-Initiated Renegotiation

    Cisco

    • Vulnerable Products: Code Undergoing Initial Testing

    F5

    • Workaround – Disables Renegotiation: Limited Public Availability
    • Fix: Code Undergoing Initial Testing

    NSS (Mozilla/Firefox)

    • TLS protocol fix: Interoperability Testing in Progress

    Sun

    • Vulnerable Products: Code Undergoing Initial Testing

    GNU TLS

    • Fix: Code Undergoing Initial Testing
    • Most Applications Are Not Affected

    RSA

    • Vulnerable Products: Interoperability Testing in Progress/Limited Public Availability

    Opera

    • Fix: Code Undergoing Initial Testing

    For more information and updates: