SSL/TLS renegotiation vulnerability still widely unpatched 
Monday, June 20, 2011, 01:38 PM
In November 2009 a Man-In-the-Middle vulnerability for SSL/TLS/https was made public (CVE-2009-3555), and shortly afterwards demonstrated to be exploitable. In February 2010 researchers published RFC 5746 that described how servers and clients can be made immune. Software that implements the TLS protocol enhancements became available shortly afterwards. Most modern web browsers are patched, but the solution requires that both browser developers and website operators take action.

Unfortunately, 16 months later, many major websites, including several ones that deal with real world transactions of goods and money, still haven't upgraded their systems.

Even worse, for a big portion of those sites it can be shown that their operators failed to apply the essential configuration hotfix. They support the style of handshakes that can allow a MITM attacker to inject attack data into the transaction stream.

Here is a list of patched and unpatched popular sites, along with more background information. The patched sites demonstrate that patching is indeed possible.

Given that attackers could execute malicious transactions with a customer's credentials, customers should demand that this security issue gets resolved quickly. What can we do to remind service providers that fixing this issue deserves a high priority?

Comments

Add Comment
Comments are not available for this entry.