New attack tool targets Web servers using secure connections
The program exploits a flaw in SSL renegotiation by overwhelming servers with multiple requests for secure connections.
Hackers have released a program they assert will allow a single computer to take down a Web server using a secure connection.
The THC-SSL-DOS tool, which was released today, purportedly exploits a flaw in Secure Sockets Layer (SSL) renegotiation protocol by overwhelming the system with multiple requests for secure connections. SSL renegotiation allows Web sites to create a new security key over an already established SSL connection.
A German group known as Hackers Choice said it released the exploit to bring attention to flaws in SSL, which allows sensitive data to flow between Web sites and an individual user's computer without being intercepted.
"We are hoping that the fishy security in SSL does not go unnoticed," an unidentified member of the group said in a blog post. "The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century."
The exploit also works on servers that don't have SSL renegotiation enabled, the group said, but requires some modification and more computers. The group said the exploit will allow a single IBM laptop to take down the average server over a standard DSL connection.