Hackers have released software that they say, allows one computer to disable servers by exploiting vulnerabilities in the implementation of proven secure sockets layer.
The German group known as The Hacker’s Choice, has released a tool on Monday, trying to draw attention to the “long series of vulnerabilities in the SSL”, which Web sites use to protect personal data.
“We hope that the dubious safety of SSL does not go unnoticed,” – said in a blog unnamed member of the group. “Industry must step in and fix the problem so that the citizens were safe again. SSL using an outdated method of protecting private data, which is difficult, impractical and inappropriate for the 21st century.”
Tool THC-SSL-DOS allows one computer with a modest internet connection to crush much more powerful server with more capacity, but only if the server supports the reaffirmation SSL (SSL renegotiation), said in a statement released Monday. Reconfirmation is used to create a new private key, providing secure communications after the encrypted session has been started. Reaffirmation was based on vulnerability, discovered in 2009. This vulnerability allows an attacker to embed text into an encrypted traffic between two endpoints.
“The interesting thing is that the safety function, which was intended to ensure greater security SSL, actually makes it more vulnerable to attack,” – said a member of the group.
The tool allows a simple laptop computer with a standard DSL connection to crush an ordinary web server. Disabling a larger server farm that uses load balancing requires about 20 laptop and the speed of 120 kbit / sec. Even if the sites do not support SSL renegotiation, they may still be affected by THC-SSL-DOS, although the attack must be modified.
The tool is available as a Windows binary and source code for Unix.