Thursday, November 5, 2009

Yet Another SSL/TLS Vulnerability Released

Another SSL/TLS vulnerability has been recently released. This weakness appears to affect applications which use client side certificates for user authentication. More specifically, the weakness lies in the renegotiation feature. For many people, this will not be an issue, since client side certificates are rarely used with large Internet facing applications.

However, some of the more secure applications do rely on client side certificates for two-factor authentication. These groups should take notice and start preparing to implement any fixes when they are available.

According to the Register article, this issue has been known since September and key players have been working to develop a solution. A new proposal is expected to be submitted to IETF today.

Here are the links so far. Anyone out there have any more info at this time?

Register Article
Martin Rex Related Security Research & Response
Analysis by Ivan Ristic

-Michael Coates

Image source: