Do you use TLS or client certificates for authentication? Beware of new MITM vulnerability

As Michael Morisy of ITKE recently posted, New SSL security hole allows man-in-the-middle attacks, a new SSL vulnerability has been announced. What you need to know about this vulnerability is that it most affects TLS (transport layer security) sessions using client authentication certificates. This is a vulnerability at the protocol level which makes it very difficult to fix where a recent previous SSL vulnerability had to do with certificate formats and content.

For specific details from the original researchers, visit the ExtendedSubset.com website. The summary of the announcement is shown below:

 Renegotiating_TLS.pdf

Some helpful protocol diagrams: Renegotiating_TLS_pd.pdf

Packet captures: renegotiating_tls_20091104_pub.zip

This one is definitely going to be interesting to watch. The excitement never ends in the security world. Leave a comment and let other ITKE readers know if you foresee any issues on this vulnerability or if you have taken any specific actions to address the risk. Thanks for reading and let’s continue to be good network citizens.

Strong passwords? Try this test

Passwords are the bane of security but currently and historically the primary authentication method for users. Check out this article by Roger Grimes and see how your password policy stacks up using the Excel spreadsheet tool he provides for download. You can use the to convince management how weak your password policy really is.

Test the strength of your password policy

Roger Grimes presents a useful tool for figuring out how susceptible your network might be to a password-cracking attack

Thanks for reading & let’s continue to be good network citizens.