14 DAY TRIAL // A German hacker group released a hacking tool that by making use of a flaw in SSL Renegotiation can easily take down a website with minimal resources.
The group known as The Hacker's Choice (THC) released a proof of concept that will further force vendors to patch up the issues that revolve around the use of SSL.
“We decided to make the official release after realizing that this tool leaked to the public a couple of months ago,” revealed a member of THC.
Unlike the traditional DDoS which requires a large number of bots, the new TCH SSL DOS utility needs only a handful of bots to take down a website and a single laptop to quickly exhaust the resources of a server.
“We are hoping that the fishy security in SSL does not go unnoticed. The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century,” said one of the group's members.
Even though SSL Renegotiation is rarely used in practice, the research shows that these days most serves have the feature enabled by default, leaving them vulnerable in front of an attack.
“Renegotiating Key material is a stupid idea from a cryptography standpoint. If you are not happy with the key material negotiated at the start of the session then the session should be re-established and not re-negotiated,” states a TCH representative.
However, by disabling SSL Renegotiation on a server will not make the problem go away. It will just take a larger number of bots and some modifications to the tool.
Fred Mauer, a senior cryptographer at THC, believes that the time has come for a new security model that offers an adequate protection to internauts, as lately, SSL revealed itself to be highly weakened from a number of standpoints.