Friday, June 11, 2010

Detecting SSL/TLS legacy session Renegotiation

Back in November I posted on The TLS Renegotiation Attack for the Impatient, which I hoped was a plain English explanation of this new weakness in SSL and TLS (at the end of the post you can find less plain explanations and links). The weakness was quickly addressed by the IETF a few months later. There is a new review of the attack from nCircle and also a link to the detailed steps that can be taken to specifically detect servers which still run legacy versions of the protocols susceptible to the attack.