Looks like its an inherent flaw recently discovered in TLS/SAL http://www.sslshopper.com/article-ssl-and-tls-renegotiation-vulnerability-di scovered.html not sure what to do about it.
_____ From: [email protected] [mailto:[email protected]] On Behalf Of Mike G Sent: Tuesday, February 16, 2010 6:08 PM To: [email protected] Subject: Re: [houcfug] SSL vulnerability Did they identify which remote service? Or are they pointing out a inherent "flaw" in SSL/tls? If I had to guess they are pointing out that you are creating a web service object and then re using that object. Shame on you <grin> . Can they be more.specific? Is it the soap binding, the object reuse, reusing the same remote call in a single.authentication session? On Feb 16, 2010 4:29 PM, "Mark Davis" <[email protected]> wrote: The vulnerability scan performed by our hosting provider came up with this. The remote service allows renegotiation of TLS / SSL connections. Risk: Medium TCP Port:443 The remote service encrypts traffic using TLS / SSL but allows a client to renegotiate the connection after the initial handshake. An unauthenticated remote attacker may be able to leverage this issue to inject an arbitrary amount of plaintext into the beginning of the application protocol stream, which could facilitate man-in-the-middle attacks if the service assumes that the sessions before and after renegotiation are from the same 'client' and merges them at the application layer. I have looked around and read some and this is the best info I can find http://www.kb.cert.org/vuls/id/120541 The vulnerability report and that page say "Contact vendor for specific patch information". Vendor for what? There is a vendor list at that link, but hell, we do business with several of those guys. Anyone else come across this? -- You received this message because you are subscribed to the "Houston ColdFusion Users' Group" discussion list. To unsubscribe, send email to [email protected] For more options, visit http://groups.google.com/group/houcfug?hl=en -- You received this message because you are subscribed to the "Houston ColdFusion Users' Group" discussion list. To unsubscribe, send email to [email protected] For more options, visit http://groups.google.com/group/houcfug?hl=en -- You received this message because you are subscribed to the "Houston ColdFusion Users' Group" discussion list. To unsubscribe, send email to [email protected] For more options, visit http://groups.google.com/group/houcfug?hl=en
