SSL renegociation vulnerability

To: tech-security%netbsd.org@localhost
Subject: SSL renegociation vulnerability
From: manu%netbsd.org@localhost (Emmanuel Dreyfus)
Date: Fri, 6 Nov 2009 07:28:46 +0100

Hello

A question about the latest SSL vulnerability:
http://extendedsubset.com/?p=8

The data insertion is possible at SSL renegociation time. When do the
renegociation occur? We are told it happens when client certificate are
used, and on algorithm change. 

When client certificates are not used, when do we have reneegociations?
And how the attacker is able to forecast the next renegociation? Because
it has for forecast in order to inject data, right?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu%netbsd.org@localhost

Follow-Ups:
- Re: SSL renegociation vulnerability
  - From: Brian A. Seklecki (CFI NOC)

Prev by Date: Dear customer
Next by Date: sshd UsePAM, PR bin/32313
Previous by Thread: Dear customer
Next by Thread: Re: SSL renegociation vulnerability
Indexes:

Home | Main Index | Thread Index | Old Index