lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 1 May 2010 13:47:22 -0700
From: Sam Quigley <>
Subject: Re: Impossible to Maintain Secure Session With Web Interface

> iSEC Partners Security Advisory - 2010-001-twitter
> 2010-04-26: Twitter asserts that it is now possible to maintain an HTTPS
>             session if the session begins with HTTPS; i.e. users can
>             navigate to to start an HTTPS session.
>             However, contains HTTP resources, including
>             a JSON response from An active network
>             attacker could potentially use this weakness to insert their
>             own code into the page and maintain control over the user's
>             session.

Also worth noting that, until yesterday, all SSL pages (including sensitive ones like /oauth/authorize) loaded Javascript from without using SSL.  Like the issue iSEC identified above, this has now been fixed.

Also yesterday, they (finally) disabled unsafe SSL renegotiation, thus blocking the credential-stealing attack identified by Anil Kurmus last November.[1]

So: progress.  Unfortunately, they still support SSLv2 and a variety of weak ciphers[2] — so there's still room for improvement.


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists