It's a really interesting bug, one of the more elegant and difficult to fix in a while. But it's not the end of the world, or even SSL. We've done OK against worse bugs.
On Nov 9, 2009, at 6:50 PM, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <[email protected]> wrote: > Ummmm, are we missing something? As far as I can see, this affects > *any* kind > of e-commerce, but I'm not seeing much discussion on it ... > > "A serious bug in the technology used to transfer information > securely on the > Internet lies in the SSL protocol, best known as the technology used > for secure > browsing on Web sites beginning with HTTPS. The bug lets attackers > intercept > secure SSL with a man-in- the-middle attack. Although the flaw can > only be > exploited under certain circumstances, it could be used to hack into > servers in > shared hosting environments, mail servers, databases, and many other > secure > applications. Further complicating matters is the fact that the bug > was > inadvertently disclosed on an obscure mailing list on November 4, > forcing vendors > into a mad scramble to patch their products. The issue was > discovered in August by > researchers at PhoneFactor, a mobile-phone security company. They > had been > working for the past two months with a consortium of technology > vendors called > the ICASI (Industry Consortium for Advancement of Security on the > Internet) to > coordinate an industry wide fix for the problem, dubbed “Project Mog > ul.” But their > plans were thrown into disarray on November 4 when a SAP engineer > stumbled > across the bug on his own. Apparently unaware of the seriousness of > the issue, he > posted his observations on the issue to an IETF (Internet > Engineering Task Force) > discussion list. It was then publicized by a security researcher. By > the afternoon of > November 5, enough people were talking about the issue that > PhoneFactor decided > to go public with their findings." > > > http://www.computerworld.com/s/article/9140362/Scramble_on_to_fix_flaw_in_SS > L_security_protocol > > ====================== (quote inserted randomly by Pegasus Mailer) > [email protected] [email protected] [email protected] > Remember, Ginger Rogers did everything Fred Astaire did, but she > did it backwards and in high heels. - Faith Whittlesey > victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/ > index.html > http://blogs.securiteam.com/index.php/archives/author/p1/ > http://twitter.com/NoticeBored http://twitter.com/rslade > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
