SANS ISC is reporting that people are receiving spam indicating that a server upgrade is occurring and people will need to manually update their SSL certificates. As if there weren’t already enough problems with SSL.
I have to say, this is interesting and if anyone has any examples of the message (with mail headers) or a valid email link, please share it with me (treguly@thisdomain).
Anyone who tried to access SSLFail.com late last night or this morning would have noticed that it was down. I apparently caused my own server outage with python. Here’s how it happened.
When sockstress was first discussed I was rather intrigued and thought about it for a bit, but then I quickly abandoned it… I just had too many other things on my plate. However discussions at SecTOR renewed my interest in exploring how this tool worked. After a bit of googling, I found this page which gives an explanation of what is occurring, although I wasn’t sure if it was correct. It did, however, fit with the ‘TCP/IP Zero Window Size Vulnerability’ in MS09-048.
I decided I would code up the diagram on the Check Point page and see what happened when I tested it. I started writing in python using SOCK_RAW and was ready to send my first packet… or so I’d thought. I forgot to send an appropriate Ethernet header, which meant parsing the packet found garbage instead of a valid packet… and port security on on the switch found an invalid MAC address and quickly disabled the port. Which means no more using the SSLFail.com server for playing with raw sockets.
Anyways, everything is back up and running now.
I just wanted to point to an awesome article from Kelly Jackson Higgins on DarkReading. I can call it awesome because it’s about the SSLFail panel at SecTOR and includes quite a bit of the information we shared with attendees, so for anyone not at SecTOR and not wanting to look at the raw data (which is coming soon)… it provides an awesome overview. Mike and I really enjoyed the opportunity to sit down and talk with Kelly and had realized at the end of the call that we had a much better idea of what we were going to discuss on the panel than we did before the interview. So everyone who enjoyed the discussion points on the panel has Kelly to thank for that.
I want to call the SSLFail.com panel at SecTOR a great success. We had a great time up there and if the audience participating was any indication (and it seems to be) then then it was a good time for everyone. We ended up talking so long that we were kicked out of the room because the next speaker needed to get on the stage to prepare for his presentation. So we migrated to the hallways and answered a few more questions. We also managed to have things to throw at the audience (vendor swag from nCircle (t-shirts) and ForeScout (stress blocks)), so thank you to both vendors. I’m hoping that people took something way from the talk but if there are questions and follow-ups please feel free to contact us, email can be sent to treguly [at] sslfail [dot] com, and I’ll be more than happy to pass it along to the other panelists. I really think we gained as much, if not more, than the attendees and I expect there will be some blog posts posted here over the next few weeks to discuss various things.
For now, I just wanted to say thank you to everyone that skipped two amazing talks to sit through ours, it was definitely appreciated.
© 2010 SSLFail.com. All Rights Reserved.