Researchers in Germany associated with a group that calls itself “The Hacker’s Choice” (THC) have recently discovered how to create a denial of service (DoS) via SSL. The tool, specifically crafted to show any weakness in security as well as disrupt business operations, could potentially affect your company by bringing critical resources to their knees (UNIX and Windows). Since the tool is freely available online, an attacker could choose his target and launch an attack aimed at a specific server, resulting in a loss of resources for the company.
“The average server can do 300 handshakes per second. This would require 10-25% of your laptop’s CPU,” writes Network World’s “Ms. Smith.” Therefore, someone with a high end laptop or multiple laptops could potentially bring your systems to a halt through overwhelming a server’s processing resources. Currently, the only known fixes are to use multiple servers with load balancing, to disable SSL-Renegotiation, and to invest in an SSL Accelerator.
This news comes alongside a report that another group of researchers from Germany has discovered how to break XML encryption used by major vendors such as IBM, Microsoft, and Red Hat Linux. The researchers have sent modified code to a server and based on the response from the server’s error message, the attacker could break XML encryption and impact a variety of XML based languages, such as RSS, Atom, SOAP, and XHTML. As of the writing of this post, no further technical details have been provided to the public, and since no known solutions to this problem are currently available, researchers are working feverishly on creating a new encryption standard.
More information on the above story can be found at Network World: http://www.networkworld.com/community/blog/double-security-whammy-no-patches-killer-ssl-