Skip to content
{ 2009 12 14 }

SSL Man-in-the-Middle PoC to come

You might have noticed the SSL/TLS authentication gap vulnerability that was announced publicly in November. If not, you can find the original whitepaper at phonefactor.com. Thierry Zoller also published a detailed analysis and description of the problem.

Like many others, we have spent some time on that vulnerability. Unfortunately, the original Proof-of-Concept code is written in C and cumbersome to use. So Lutz decided to write our own. This PoC is written in Python and is – hopefully – platform independent. It works great for doing Man-in-the-Middle attacks against HTTPS-secured websites. We already used the code in our pentests and demonstrated to our clients what may happen if SSL/TLS renegotiation is enabled.

We are going to release the code in a couple of days on our website, so stay tuned and check the news and this blog for updates.

Posted by jensl on Monday, December 14, 2009, at 11:38. Filed under Hacking. Tagged , , , . Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog.

{ 1 } Comments

  1. Sn0rkY | 2009-Dec-14 at 23:11 | Permalink

    Cool, I am eager to test it in a VoIP environment ;-)
    Inform me when it will published…

    Health & Happiness :-D
    Sn0rkY

{ 2 } Trackbacks

  1. RedTeam : TLS Renegotiation Vulnerability: Proof of Concept Code Released | 2009-Dec-21 at 14:48 | Permalink

    [...] As promised, the TLS Renegotiation vulnerability Python PoC is now publicly available on our websites: [...]

  2. Week 51 in Review | Infosec Events | 2009-Dec-28 at 12:13 | Permalink

    [...] SSL Man-in-the-Middle PoC to come – blogs.23.nu/RedTeam Red Team to release a SSL/TLS authentication man-in-the-middle attack [...]

Post a Comment

Your email is never published nor shared.