http://www.infoworld.com/t/security/new-dos-tool-thc-another-overhyped-threat-177167 By Woody Leonhard InfoWorld October 26, 2011 If you have a site that uses SSL encryption, right now might be a good time to find out if the site supports automatic SSL Renegotiation. But the sky isn't falling, despite what you may have read. Yes, a German hacker group known as THC (The Hacker's Choice) has just released THC-SSL-DoS, which can bring down an HTTPS site with a DoS attack using an ordinary laptop -- but only if that site has SSL Renegotation turned on. Most HTTPS sites already have SSL Renegotation turned off, so they aren't vulnerable. Apache 2.2.14, IIS 7.0, and OpenSSL 0.9.8l and earlier all shipped with SSL Renegotiation enabled by default, making them potential targets. If you have newer versions, SSL Renegotiation is disabled by default. An admin might've changed the setting, though, so it wouldn't hurt to make sure SSL Renegotiation is turned off. Here's the whole story. [...] _____________________________________________________ Subscribe to InfoSec News - www.infosecnews.org http://www.infosecnews.org/mailman/listinfo/isnReceived on Wed Oct 26 2011 - 22:48:00 PDT
This archive was generated by hypermail 2.2.0 : Wed Oct 26 2011 - 22:51:29 PDT