[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: TLS Renegotiation Vulnerability: Proof of Concept Code (Python)

Also, can you change this:

"Transport Layer Security (TLS) Renegotiation Indication Extension, IETF
draft standard that addresses the vulnerability."


"Transport Layer Security (TLS) Renegotiation Indication Extension, IETF TLS
Working Group draft that addresses the vulnerability."

Where "IETF TLS Working Group" is hyperlinked to

That would help people who do not have a clue who the IETF or the TLS WG or
that both are open standards forums.



> -----Original Message-----
> From: RedTeam Pentesting GmbH [mailto:release@xxxxxxxxxxxxxxxxxxxxx]
> Sent: Monday, December 21, 2009 5:04 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: TLS Renegotiation Vulnerability: Proof of Concept Code
> (Python)
> Information about a vulnerability in the TLS protocol was published in
> the
> beginning of November 2009. Attackers can take advantage of that
> vulnerability
> to inject arbitrary prefixes into a network connection protected by
> TLS. This
> can result in severe vulnerabilities, depending on the application
> layer
> protocol used over TLS.
> RedTeam Pentesting used the Python module "TLS Lite" to develop proof
> of concept
> code that exploits this vulnerability. It is published at
> http://www.redteam-pentesting.de/publications/tls-renegotiation
> to raise awareness for the vulnerability and its potential impact.
> Furthermore,
> it shall give interested persons the opportunity to analyse
> applications
> employing TLS for further vulnerabilities.
> --
> RedTeam Pentesting GmbH                    Tel.: +49 241 963-1300
> Dennewartstr. 25-27                        Fax : +49 241 963-1304
> 52068 Aachen                    http://www.redteam-pentesting.de/
> Germany                         Registergericht: Aachen HRB 14004
> Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck