http://www.darknet.org.uk/2009/11/ssl-renegotiation-bug-succesfully-used-to-attack-twitter/ Ethical Hacking, Penetration Testing & Computer Security Tue, 14 Feb 2012 00:17:07 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://www.darknet.org.uk/2009/11/ssl-renegotiation-bug-succesfully-used-to-attack-twitter/#comment-160094 emerging Tue, 17 Nov 2009 14:52:25 +0000 http://www.darknet.org.uk/?p=2293#comment-160094 i'v seen the prove of concept attacks in a paper 2 weeks back :). surfed around the so called -security - sites they were all underestimating the vulnerability -miss design- . that paper describes 3 scenario for exploiting this vulnerability :) . and i guess there reaction was to only elude ppl. But the real disaster is going to be when when you read about the use of "hash clash" method to attack certificates. the method is well documented and has a prove of concept experiments but, again they say it is far from being used . because bla bla bla. so shall we sit and wait OR be of the first ? i’v seen the prove of concept attacks in a paper 2 weeks back :). surfed around the so called -security – sites they were all underestimating the vulnerability -miss design- . that paper describes 3 scenario for exploiting this vulnerability :) . and i guess there reaction was to only elude ppl. But the real disaster is going to be when when you read about the use of “hash clash” method to attack certificates. the method is well documented and has a prove of concept experiments but, again they say it is far from being used . because bla bla bla. so shall we sit and wait OR be of the first ?

]]> http://www.darknet.org.uk/2009/11/ssl-renegotiation-bug-succesfully-used-to-attack-twitter/#comment-160071 d3m4s1@d0v1v0 Mon, 16 Nov 2009 12:38:19 +0000 http://www.darknet.org.uk/?p=2293#comment-160071 I'd like to see the proof of concept. I was following this failure since last week and I find it very interesting. I haven't time to prove it, but I think it can be used easily on a private LAN placing a mitm attack. This twitter attack reveal account information, but even without doing that, you can do interesting things, like sending a message with your boss e-mail! I’d like to see the proof of concept. I was following this failure since last week and I find it very interesting.
I haven’t time to prove it, but I think it can be used easily on a private LAN placing a mitm attack.
This twitter attack reveal account information, but even without doing that, you can do interesting things, like sending a message with your boss e-mail!

]]>