Image credit: Wired
Researchers have released an attack tool that makes it trivial for anyone to take down websites that allow users to connect via secure connections.
Unlike most denial-of-service attacks (DoS) that require an attacker to direct a network of distributed computers to take down a website by flooding it with fake traffic, the so-called THC-SSL-DOS tool purportedly allows an attacker to achieve the same result from a single computer — or in the case of a website with a number of webservers, just a handful of computers would be sufficient.
The tool, released by a group called The Hackers Choice, exploits a known flaw in the Secure Socket Layer (SSL) protocol by overwhelming the system with secure connection requests, which quickly consume server resources. SSL is what’s used by banks, online e-mail providers and others to secure communications between the website and the user.
The flaw exists in the process called SSL renegotiation, which is used in part to verify a user’s browser to a remote server. Sites can still use HTTPS without that renegotiation process turned on, but the researchers say many sites have it on by default.
http://thehackerschoice.wordpress.com/2011/10/24/thc-ssl-dos/
