SSL renegotiation

Here is a link to an interesting article from Ivan Ristic about SSL renegotiation, the issue discovered almost a year ago that could lead to MITM attacks: http://blog.ivanristic.com/2010/10/disabling-ssl-renegotiation-is-a-crutch-not-a-fix.html.
The point is that disabling renegotiation altogether in the web servers (those that do not need it) give no indication of their security status to the different browsers any user can have.
There is a new renegotiation RFC (5746) from the TLS Working Group, and all software vendors must implement and push it as an important update ASAP!
If you want to check the security level of a SSL/TLS enabled site and know if it has renegotiation enabled (secure or not), try this tool from the SSL Labs: https://www.ssllabs.com/.


This entry was posted on Sunday, October 10th, 2010 at 5:37 PM and is filed under internet, security, software.

You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.