Tool Lets Single Laptop Take Down An SSL Server

  /     /     /  
Publicated : 22/11/2024   Category : security


Tool Lets Single Laptop Take Down An SSL Server


Yet another strike against SSL security



SSL is in the hot seat again: A new, free tool is now circulating that can take down an HTTPS Web server in a denial-of-service attack using a single laptop via a DSL connection.
Researchers with a hacker group called The Hackers Choice (THC) yesterday released the so-called THC-SSL-DOS tool that abuses the SSL renegotiation feature, which basically reperforms the encryption handshake.
The tool lets an attacker use a single connection to relentlessly perform the renegotiation with the SSL server, eventually overwhelming it. Its a constant renegotiation. Instead of forming new connections over and over again ... it increases the overhead of the server, says Tyler Reguly, manager of security research and development with nCircle.
It all comes down to an SSL feature -- SSL renegotiation -- that isnt typically needed for Web servers. Unless you wanted to change the encryption level, its not a necessity. Some SSL VPNs make extensive use of it, but its not needed in the Web browsing world, Reguly says.
The hackers who wrote the tool recommend disabling SSL renegotiation. But even that wont completely prevent such a denial-of-service attack. It still works if SSL Renegotiation is not supported but requires some modifications and more bots before an effect can be seen, the THC hackers said in a statement.
For the tool to take down server farms with SSL load balancing, it requires using about 20 average size laptops and 120 Kbps of traffic, they said.
The new tool is reminiscent of
the Slowloris attack tool
that keeps connections open by sending partial HTTP requests and sends headers at regular intervals to prevent the sockets from closing, and OWASPs Slow HTTP Post tool. Theres also the open-source slowhttptest tool that checks a servers vulnerability to a Slowloris-type attack.
nCircles Reguly was initially skeptical of the attack, but downloaded the tool and gave it a spin. Much to his surprise, it worked well -- too well. It definitely took down the server I tested it on. My laptop versus the HTTPS server was a success, he says. It was kind of scary.
SSL has been under heavy scrutiny during the past couple of years for its vulnerability to
man-in-the-middle attacks
and for the high volume of SSL-based websites that are improperly configured. Some 80 percent, for example, are vulnerable to a Firesheep or similar attack, according to
data from SSL Labs, Qualys community project
. And 70 percent of SSL servers handle credential login in plain text, while 55 percent submit passwords in plain text.
On top of that, there are this years attacks of certificate authorities Comodo and DigiNotar, for instance. We warned in 2002 about giving hundreds of commercial companies (so-called Certification Authorities) a master key to ALL SSL traffic, said Fred Mauer, a senior cryptographer at THC, in a post. Only a real genius can come up with such an idea. And last but not least the immense complexity of SSL Renegotiation strikes again in 2011 with the release of THC-SSL-DOS. It’s time for a new security model that adequately protects the citizens.
THC also dismissed the idea of renegotiating encryption. Renegotiating Key material is a stupid idea from a cryptography standpoint. If you are not happy with the key material negotiated at the start of the session then the session should be re-established and not re-negotiated, the group said.
The tool is available
here
for download.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Tool Lets Single Laptop Take Down An SSL Server