lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAAfuxnLU=3paaPuYRibqbXcf3f2KgFp+61QEbC9ArN2wsqLv9w@mail.gmail.com>
Date: Tue, 25 Oct 2011 16:47:58 +0200
From: Dan Luedtke <maildanrl@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: THC SSL DOS tool released

On Mon, Oct 24, 2011 at 4:14 PM,  <rm@...fault.net> wrote:
> Today the German hacker group "The Hacker's Choice" officially
> released a new DDoS tool. The tool exploits a weakness in SSL to kick a
> server off the Internet.
Finally!
Thank you!

Until we have a better technology, I'd like to discuss short-term
solutions* to this issue.

Instead of CAs we could use notaries like suggested here:
a) http://convergence.io/details.html
b) http://www.youtube.com/watch?v=Z7Wl2FW2TcA

To make it more difficult to DOS servers using SSL, the protocol could
somehow be modified to challenge the client with some useless** but
cpu-heavy calculation before the server starts acting. Of course it
must be something that does not involve heavy calculation at the
server side, otherwise its just dumb. It's just an idea, and I do not
know if and how this is possible at all.

SSL is dead, long live SSL? I don't see another option at the moment.
Nevertheless, it is good the tool is out in the wild now.

weird thoughts,
  danrl

* Caution: short-term solutions tend to be more persistent than expected :)
** e.g. bitcoins pooled mining ;)

--
Dan Luedtke
http://www.danrl.de

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ