Home page logo

basics logo Security Basics mailing list archives

RE: SSL protocol flaw, request for opinions
From: "Benjamin Meade" <ben () lanwest com au>
Date: Mon, 24 Feb 2003 16:43:07 +0800

Can't say I'm too worried about it.

(a) Its already been patched, and (b), the requirements for pulling off
this attack are high enough to dissuade all but the most determined
cracker. A sufficiently determined cracker will get into your system,
there is no way around it. What it comes down to is if a compromise is
going to cost your company x amount to fix (including lost downtime,
consumer confidence, lawsuits etc), then you spend that amount on
securing your system, and leave it at that.

Benjamin Meade
System Administrator
LanWest Pty Ltd 

-----Original Message-----
From: Juan Velasquez [mailto:juan () EvolutionH com] 
Sent: Friday, 21 February 2003 3:46 PM
To: jasonc () science org; security-basics () securityfocus com
Subject: SSL protocol flaw, request for opinions

I just read this story which explains how the Swiss Federal Institute of

exploited a flaw in the SSL protocol to hijack an 8 character password 
from a bunch of SSL encrypted email logins.
I was surprised. What does the security community think of this?



Juan Velasquez
Juan () EvolutionhH com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]