Comments on: Another Protocol Bites The Dust

By: Links » TLS Renegotiation, 7 Months On

Links » TLS Renegotiation, 7 Months On — Wed, 09 Jun 2010 08:18:50 +0000

[...] been 7 months since the TLS renegotiation problem went public and Opera’s security group have a couple of interesting articles about it. The [...]

By: Links » Extended Subsets

Links » Extended Subsets — Thu, 17 Dec 2009 16:38:43 +0000

[...] dealing with the recent SSL fun, I met Marsh Ray, who found the problem in the first place. Marsh has a website, [...]

By: 78% of most popular HTTPS are still vulnerable « onlinesecurityblog.info

78% of most popular HTTPS are still vulnerable « onlinesecurityblog.info — Thu, 03 Dec 2009 17:28:36 +0000

[...] Laurie of Google was working on the renegotiation flaw around six weeks before it was made public, so it is perhaps unsurprising that 7 of the 24 safe sites are owned by [...]

By: операционные системы Linux/BSD » В протоколах SSL/TLS найдена критическая уязвимость

Wed, 11 Nov 2009 06:52:38 +0000

[...] реализаций протокола. Для OpenSSL уже выпущен временный патч (дополнение: исправления представлены в GnuTLS 2.8.5 и OpenSSL [...]

By: NetStorming » Seria vulnerabilidad en SSL

NetStorming » Seria vulnerabilidad en SSL — Sun, 08 Nov 2009 01:50:40 +0000

[...] un post en Slashdot, una grave vulnerabilidad en el protocolo SSL podría permitir ataques de man-in-the-middle durante [...]

By: Fallo de seguridad SSL y TLS | El mundo de IMD

Fallo de seguridad SSL y TLS | El mundo de IMD — Sat, 07 Nov 2009 14:46:43 +0000

[...] en Slashdot una noticia que se está extendiendo como la pólvora: se trata de una vulnerabilidad bastante seria en SSL. Resumidamente, se trata de un clásico man-in-the-middle que podría explotar la renegociación de [...]

By: В протоколах SSL/TLS найдена критическая уязвимость » Боталка

В протоколах SSL/TLS найдена критическая уязвимость » Боталка — Sat, 07 Nov 2009 12:11:46 +0000

[...] реализаций протокола. Для OpenSSL уже выпущен временный патч, середыш которого сводится к пoлнoму отключению [...]

By: Barrapunto | Descubierta grave vulnerabilidad en SSL/TLS « El camello, el Leon y el niño. O la evolución del perro al lobo

Sat, 07 Nov 2009 10:50:15 +0000

[...] cuenta: «Leo en Slashdot una noticia que se está extendiendo como la pólvora: se trata de una vulnerabilidad bastante seria en SSL. Resumidamente, se trata de un clásico man-in-the-middle que podría explotar la renegociación de [...]

By: Anonymous Coward

Anonymous Coward — Sat, 07 Nov 2009 05:42:17 +0000

> OpenSSL is written by monkeys

I think Linus specifically noted that the OpenBSD committers are a group of *masturbating* monkeys.

i.e., they care about security~

By: David-Sarah Hopwood

David-Sarah Hopwood — Sat, 07 Nov 2009 04:02:56 +0000

In response to comment 7:
CSRF is normally constrained to some extent by the same-origin policy; this isn’t. In your example, the response to the img request can’t be read by a script — it can only be displayed (and if there were a way for an attacker to read the displayed pixels, that would be a browser bug).