News of a new vulnerability in SSL/TLS has been making the rounds today. I first noticed it over at Slashdot which had a link to the guy who discovered the vulnerability, Ben Laurie a member of the Shmoo Group. You can read his post about the vulnerability here.
In a nutshell (and with as little IT speak as possible) a special set of circumstances results in a server attempting to “renegotiate” the certificate that enables the client to communicate in an encrypted manner with the server. During this renegotiation a gap exists that allows an attacker to insert a plaintext header that allows the attack to insert themselves inbetween. The client then sends their encrypted information to the “man in the middle” who then forwards it on to the server. In effect then two different encrypted sessions are established. One between the client and the rogue server. Another between the rogue server and the victim server.
This impacts other protocols which depends on SSL/TLS such as the widely used HTTPS protocol. A patch for OpenSSL that prohibits all renegotiation has been released and an official patch is expected soon. If your site depends on renegotiation to work then there is no alternative for you at the moment.
Update: Apparently a number of people have discovered this flaw or were aware of it and the disclosure resulted in them releasing their results as well. I.e. the individual cited above is not the only person related to the vulnerability’s discovery.
