On 11/30/2009 11:47 PM, Kyle Hamilton:
Twitter was breached. Before they disabled renegotiation on their servers, the status message POST update was POST [...], and then their Basic-encoded username and password. Someone injected prior bytes before allowing the renegotiation, and every time someone was intercepted, that someone's status message changed to a whole bunch of usernames and passwords.
Which was a clear failure on the application level, not SSL...the renegotiation just made it work easily.
I claim that a correctly handled application is not subject to this kind of attacks.
-- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: start...@startcom.org Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
