Published by German hacker group The Hacker's Choice, the THC-SSL-DOS is designed to highlight weaknesses in SSL and force "the industry" to make SSL more secure.
"We decided to make the official release after realizing that this tool leaked to the public a couple of months ago" the group wrote in a blog post. "We are hoping that the fishy security in SSL does not go unnoticed. The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century."
According to the group, a notebook and a DSL connection is enough to kill a simple SSL server. Larger server farms required 20 notebooks and traffic of about 120 Kbps. The basic feature of THC-SSL-DOS is that it demands renegotiations of encryption keys, which creates up to 1000 parallel connections between the client and the server. As a result, any SSL server is vulnerable to this tool - not just web servers, but email servers as well.
The software is available as a free download for Windows and Unix. Before you download it and use it, keep in mind that using the software will most likely be considered a criminal act.
No comments:
Post a Comment