New attack tool targets Web servers using secure connections

The program exploits a flaw in SSL renegotiation by overwhelming servers with multiple requests for secure connections.

Steven Musil Night Editor / News

Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.

Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.

See full bio

Steven Musil

Oct. 24, 2011 9:39 p.m. PT

Hackers have released a program they assert will allow a single computer to take down a Web server using a secure connection.

The THC-SSL-DOS tool, which was released today, purportedly exploits a flaw in Secure Sockets Layer (SSL) renegotiation protocol by overwhelming the system with multiple requests for secure connections. SSL renegotiation allows Web sites to create a new security key over an already established SSL connection.

A German group known as Hackers Choice said it released the exploit to bring attention to flaws in SSL, which allows sensitive data to flow between Web sites and an individual user's computer without being intercepted.

"We are hoping that the fishy security in SSL does not go unnoticed," an unidentified member of the group said in a blog post. "The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century."

The exploit also works on servers that don't have SSL renegotiation enabled, the group said, but requires some modification and more computers. The group said the exploit will allow a single IBM laptop to take down the average server over a standard DSL connection.