Researchers have released an attack tool that makes it trivial for anyone to take down websites that allow users to connect via secure connections.
Unlike most denial-of-service attacks (DoS) that require an attacker to direct a network of distributed computers to take down a website by flooding it with fake traffic, the so-called THC-SSL-DOS tool purportedly allows an attacker to achieve the same result from a single computer — or in the case of a website with a number of webservers, just a handful of computers would be sufficient.
The tool, released by a group called The Hackers Choice, exploits a known flaw in the Secure Socket Layer (SSL) protocol by overwhelming the system with secure connection requests, which quickly consume server resources. SSL is what’s used by banks, online e-mail providers and others to secure communications between the website and the user.
The flaw exists in the process called SSL renegotiation, which is used in part to verify a user’s browser to a remote server. Sites can still use HTTPS without that renegotiation process turned on, but the researchers say many sites have it on by default.
“We are hoping that the fishy security in SSL does not go unnoticed. The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century,” said the researchers in a blog post.
The attack still works on servers that don’t have SSL renegotiation enabled, the researchers said, though it takes some modifications and some additional attack machines to bring down the system.
The group notes that vendors have been aware of the vulnerability since 2003, but have not fixed it.
Photo: Al Ibrahim/Flickr