Thursday, April 02, 2015
Why is SSL under attack?
SSL is under attack, not just from those who would do bad things unto thee but also from We The Media. The latest headline-grabbing threat was revealed in an OpenSSL security advisory last week which started with a high severity warning entitled "OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)." This could impact users of the open source crypto library, well OpenSSL version 1.0.2 anyway, and to cut a very long and boring story short enable a Denial of Service attack to occur against the server. It enabled a malicious client to crash - and then reboot - the server with a NULL pointer deference when renegotiating with an invalid signature algorithm. I did warn you it was boring. Not, however, as boring as the IT security industry commenting spat that rolled out as a result.