New DoS Tool Kills SSL Servers With Just One PC
Published by German hacker group The Hacker's Choice, the THC-SSL-DOS is designed to highlight weaknesses in SSL and force "the industry" to make SSL more secure.
"We decided to make the official release after realizing that this tool leaked to the public a couple of months ago" the group wrote in a blog post. "We are hoping that the fishy security in SSL does not go unnoticed. The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century."
According to the group, a notebook and a DSL connection is enough to kill a simple SSL server. Larger server farms required 20 notebooks and traffic of about 120 Kbps. The basic feature of THC-SSL-DOS is that it demands renegotiations of encryption keys, which creates up to 1000 parallel connections between the client and the server. As a result, any SSL server is vulnerable to this tool - not just web servers, but email servers as well.
The software is available as a free download for Windows and Unix. Before you download it and use it, keep in mind that using the software will most likely be considered a criminal act.
I bet you are scared to read Mein Kampf because you think you may be accused of being a Nazi and part of concentration camps during WW2.
There is no danger in reading source code, unless that source code was copyrighted and then stolen. This code is open source, for those who want to learn about what vulnerabilities exist in current services that the majority of people who use the Internet rely on. Just don't compile and then run it against a server you don't own/ have explicit, written/signed consent to do so.
Note however that many SSL servers do limit single IP simultaneous connections, and also many servers disable renegotiation (so you have to reconnect each time) and luckily many SSL servers also have a long reconnect timeout
Just if you use it on someone else's SSL server.
I am not going to even click on the link. Reminds me of Sony's mess when they tried to get the web hosting company to turn over the IPs of those who downloaded the source code. It's asking for trouble.
Why even make it available for folks do stupid things with and create a libability to Tom's?
I am not going to even click on the link. Reminds me of Sony's mess when they tried to get the web hosting company to turn over the IPs of those who downloaded the source code. It's asking for trouble.
Why even make it available for folks do stupid things with and create a libability to Tom's?
I bet you are scared to read Mein Kampf because you think you may be accused of being a Nazi and part of concentration camps during WW2.
There is no danger in reading source code, unless that source code was copyrighted and then stolen. This code is open source, for those who want to learn about what vulnerabilities exist in current services that the majority of people who use the Internet rely on. Just don't compile and then run it against a server you don't own/ have explicit, written/signed consent to do so.
Note however that many SSL servers do limit single IP simultaneous connections, and also many servers disable renegotiation (so you have to reconnect each time) and luckily many SSL servers also have a long reconnect timeout
It takes one, to know to download one.
Is a noob hacker worse than a script kiddie?
Because it is just a link.
Just if you use it on someone else's SSL server.
Tom's doesn't use SSL ... it's complete unencrypted ... take a look at your address bar in you browser.
This so called SSL DoS attack is pretty lame at best. Most SSL servers don't have SSL renegotiation enabled, and those that do have a retry limit. Once again the Germans come up short, just like they did in WWII.
Just more hackers trying to get attention to a ton of work they did that is for the most part is NOT successful with any reasonably good SSL server.
Love how these lame hackers use "Fishy Security" -- is that technical term??? Hahaha ROFL
Probably because Tom's is owned by Bestofmedia Group (HQ is in Los Angeles CA), with CEO Antoine Boulin (French native). Tom Pabst the original creator of Tom's Hardware (back when it had a good reputation for solid unbiased information) was a German doctor -- perhaps that's why Tom's is publishing this link.
But the more likely reason for publishing this article is much more simple ... hit count, pays the bills.
I'm sure my post will get deleted even though it violates no "terms of use".
agree