Comments on: SSL MitM Attack, Part 2 http://www.links.org/?p=786 Ben Laurie blathering Fri, 27 Aug 2010 13:41:58 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: securitywhispers » Blog Archive » Coverage story of TLS blind prefix injection attack http://www.links.org/?p=786&cpage=1#comment-337432 securitywhispers » Blog Archive » Coverage story of TLS blind prefix injection attack Tue, 10 Nov 2009 12:48:52 +0000 http://www.links.org/?p=786#comment-337432 [...] SSL MitM Attack, Part 2 [...] [...] SSL MitM Attack, Part 2 [...]

]]> By: Pat http://www.links.org/?p=786&cpage=1#comment-337247 Pat Mon, 09 Nov 2009 09:27:06 +0000 http://www.links.org/?p=786#comment-337247 do you have a defence to the mopnkey comment? do you have a defence to the mopnkey comment?

]]> By: David-Sarah Hopwood http://www.links.org/?p=786&cpage=1#comment-336994 David-Sarah Hopwood Sat, 07 Nov 2009 04:10:04 +0000 http://www.links.org/?p=786#comment-336994 https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt What irony that it takes three clicks to dismiss the silly dialog telling me that the connection is insecure (which I did pretty much on autopilot, given that broken certs are so common). Incidentally, the attacker can have control over some headers in some CSRF attacks. The restrictions are complicated. https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt

What irony that it takes three clicks to dismiss the silly dialog telling me that the connection is insecure (which I did pretty much on autopilot, given that broken certs are so common).

Incidentally, the attacker can have control over some headers in some CSRF attacks. The restrictions are complicated.

]]> By: m http://www.links.org/?p=786&cpage=1#comment-336940 m Fri, 06 Nov 2009 21:05:51 +0000 http://www.links.org/?p=786#comment-336940 i'm guessing that the guy referring to ISA and OWA are referring to Microsoft Internet Security & Acceleration Server and Microsoft Outlook Web Access. i’m guessing that the guy referring to ISA and OWA are referring to Microsoft Internet Security & Acceleration Server and Microsoft Outlook Web Access.

]]> By: Alex Lam http://www.links.org/?p=786&cpage=1#comment-336928 Alex Lam Fri, 06 Nov 2009 19:38:25 +0000 http://www.links.org/?p=786#comment-336928 Thanks for confirming that session resumption is not affected by this patch. More of an implementation question, are we vulnerable if the attacker hijacks the client's session resumption handshakes instead of the initial one? Does OpenSSL mandate a ClientHello.session_id check against the existing session's, or does it blindly retrieve the master secret based on the ClientHello.session_id? Thanks for confirming that session resumption is not affected by this patch.

More of an implementation question, are we vulnerable if the attacker hijacks the client’s session resumption handshakes instead of the initial one?
Does OpenSSL mandate a ClientHello.session_id check against the existing session’s, or does it blindly retrieve the master secret based on the
ClientHello.session_id?

]]> By: Benson http://www.links.org/?p=786&cpage=1#comment-336915 Benson Fri, 06 Nov 2009 17:42:10 +0000 http://www.links.org/?p=786#comment-336915 I just want to say this because you're probably mostly hearing people bitching right now: You rock. OpenSSL is a really important piece of software, and I really appreciate the work you and the rest of the team do to make it work. I just want to say this because you’re probably mostly hearing people bitching right now: You rock. OpenSSL is a really important piece of software, and I really appreciate the work you and the rest of the team do to make it work.

]]> By: Mike http://www.links.org/?p=786&cpage=1#comment-336896 Mike Fri, 06 Nov 2009 14:21:41 +0000 http://www.links.org/?p=786#comment-336896 "Though the fact that this attack doesn’t actually make HTTP much worse is a pretty damning indictment of HTTP (and HTML)!" what does that even mean? please explain how any of what you were just talking about is an indictment of HTTP.. “Though the fact that this attack doesn’t actually make HTTP much worse is a pretty damning indictment of HTTP (and HTML)!”

what does that even mean? please explain how any of what you were just talking about is an indictment of HTTP..

]]> By: Clement http://www.links.org/?p=786&cpage=1#comment-336881 Clement Fri, 06 Nov 2009 12:53:28 +0000 http://www.links.org/?p=786#comment-336881 Since when does CSRF require clicking on links? All I need is for your browser to render out the image tag that I insert into some straight-HTTP connection that I MITM, or I can insert JS if I really want POST data. And are there any other protocols that use SSL which are vulnerable to this particular corner case? Since when does CSRF require clicking on links? All I need is for your browser to render out the image tag that I insert into some straight-HTTP connection that I MITM, or I can insert JS if I really want POST data.

And are there any other protocols that use SSL which are vulnerable to this particular corner case?

]]>