Hacker group releases attack tool for SSL Web sessions
A German hacker group has released a tool for launching denial-of-service attacks against Secure Sockets Layer servers used to secure online transactions, exploiting vulnerabilities that have been known for years.
The group, The Hacker’s Choice said in a press release issued Oct. 24 that the tool is an effort to force the industry to correct flaws in the SSL protocol.
“We are hoping that the fishy security in SSL does not go unnoticed,” the group said in the release. “The industry should step in to fix the problem so that citizens are safe and secure again.”
Related stories:
Team cracks chips used in military, aerospace systems
Cracks in encryption security for embedded chips not fatal, company says
Paul Kocher, co-author of SSL v. 3.0, disagreed with the hackers’ assessment.
“This isn’t a vulnerability in the protocol,” said Kocher, president of Cryptography Research Inc. Instead, it’s a question of how much computational effort is required to do the cryptography, and the attack threat probably can be defended against with proper configuration of servers, he said. “I wouldn’t expect there to be any protocol changes as a result of this.”
SSL is a commonly used tool to secure network connections using public-key cryptography (and it puts “HTTPS” into the URL). The group described SSL security as out of date and needlessly complex. The THC SSL DOS tool leverages the disproportionate amount of processing power required for a server to establish a secure SSL connection and exploits the secure renegotiation feature of SSL servers by triggering thousands of renegotiations with a single TCP connection.
The group said that because of the asymmetric computing requirements, a single laptop with a DSL connection can take down an average SSL server. Taking down a larger server farm using SSL load balancing would take 20 laptops.
“All in all, superb results,” the group said in the release.
Article source: http://gcn.com/articles/2011/10/25/hacker-group-tool-for-attacking-ssl-sessions.aspx
View full post on National Cyber Security » Computer Hacking