| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4EB0FD7B.7050800@mh-sec.de> Date: Wed, 02 Nov 2011 09:21:15 +0100 From: Marc Heuse <mh@...sec.de> To: coderman <coderman@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: THC SSL DOS tool released Am 02.11.2011 00:44, schrieb coderman: > On Tue, Nov 1, 2011 at 4:14 PM, Marsh Ray wrote: >> ... >> I want an excuse to buy a smokin new video card as much as the next >> guy, but if anyone ever bothered to look at the protocol they'd >> realize the attacker doesn't actually need to do any crypto. > > i don't want to use 20 laptops to do what can be done with one (when > renegotiation disabled and hw accel present) > > i've got a radeon mobility in this lappy for a reason! still you dont need a gpu, even with renegotiation disabled and hardware acceleration present. Just don't use openssl (or similar libraries). you can send the intial communication yourself before its the client's task to do CPU intensive operations and then just close the connection and reconnect. and the thc-ssl-dos is a proof of concept code, and could be enhanced to do be more effective too. greets, marc -- Marc Heuse www.mh-sec.de PGP: FEDD 5B50 C087 F8DF 5CB9 876F 7FDD E533 BF4F 891A _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists