| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAfuxnLU=3paaPuYRibqbXcf3f2KgFp+61QEbC9ArN2wsqLv9w@mail.gmail.com> Date: Tue, 25 Oct 2011 16:47:58 +0200 From: Dan Luedtke <maildanrl@...glemail.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: THC SSL DOS tool released On Mon, Oct 24, 2011 at 4:14 PM, <rm@...fault.net> wrote: > Today the German hacker group "The Hacker's Choice" officially > released a new DDoS tool. The tool exploits a weakness in SSL to kick a > server off the Internet. Finally! Thank you! Until we have a better technology, I'd like to discuss short-term solutions* to this issue. Instead of CAs we could use notaries like suggested here: a) http://convergence.io/details.html b) http://www.youtube.com/watch?v=Z7Wl2FW2TcA To make it more difficult to DOS servers using SSL, the protocol could somehow be modified to challenge the client with some useless** but cpu-heavy calculation before the server starts acting. Of course it must be something that does not involve heavy calculation at the server side, otherwise its just dumb. It's just an idea, and I do not know if and how this is possible at all. SSL is dead, long live SSL? I don't see another option at the moment. Nevertheless, it is good the tool is out in the wild now. weird thoughts, danrl * Caution: short-term solutions tend to be more persistent than expected :) ** e.g. bitcoins pooled mining ;) -- Dan Luedtke http://www.danrl.de _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists