Sign in / up

back to article Tool lets low-end PC crash much more powerful webserver

Hackers have released software that they say allows a single computer to knock servers offline by targeting a well-documented flaw in secure sockets layer implementations. A German group known as The Hacker's Choice released the tool on Monday, in part to bring attention to what they said were a series of long-running …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. Destroy All Monsters Silver badge
    Mushroom

    “The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century.”

    So who are those sanctimonious jerks who probably know only how to wreck stuff and couldn't design anything secure if their life depended on it?

    Like vandals claiming they be fightin' for the freedom of the working class.

    0 8
    1. Andrew Waite
      Reply Icon
      FAIL

      Research needed

      You should probably take a look at THC's history and projects before flaming them. This isn't the work of the latest round of skiddies to crawl out of the woodwork.

      0 0
      1. Destroy All Monsters Silver badge
        Reply Icon
        Thumb Down

        Well they definitely behave that way.

        0 0
  2. Anonymous Coward
    Happy

    Grammar check

    It should read 'Tools let low end PC....'. This wasn't the work of an individual

    1 1
  3. Anonymous Coward
    Anonymous Coward

    I for one don't care what their motives are - over the past months it has become abundantly clear that SSL in its current form is well past its use-by date, so the sooner it gets fixed or replaced the better.

    5 0
  4. James 100

    Discovering and proving a flaw in a security product is a valuable service, IMO - unlike vandals, these guys haven't done any actual damage. By releasing the tool into the wild, this effectively forces developers to fix the hole ASAP, rather than sitting around pontificating about whether it's really important or not until it's used to do some serious damage.

    I wonder if this will affect Google's apparent affection for SSL on everything - and if there's a botnet big enough to knock them offline using this technique, if they aren't already protected?

    0 0
  5. W60

    Workaround

    Per the THC site:

    "No real solutions exists. The following steps can mitigate (but not solve)

    the problem:

    1. Disable SSL-Renegotiation

    2. Invest into SSL Accelerator

    Either of these countermeasures can be circumventing by modifying

    THC-SSL-DOS."

    Surely then just limiting connection based upon src IP with renegotiation is a mitigation that can't be circumvented....unless you can spoof the traffic

    0 0
This topic is closed for new posts.

Other stories you might like