KCI attacks against TLS

yuhong · 2015-08-29 06:59:37

Old versions of Mac OS X is listed as one of the affected OSes:
https://www.usenix.org/system/files/con … uschek.pdf
I think most of us don't use client certificates right? Remember that 10.4 and older are unlikely to have been updated to support secure renegotiation, and will likely use insecure renegotiation with client certs making it vulnerable to MITM attacks.

ClassicHasClass · 2015-08-29 17:08:52

Very likely. However, TenFourFox uses NSS, not the built-in Security framework, so it is unaffected.

Tobias has done some work on a replacement Security framework, but it's only for 10.5.

jt · 2015-08-29 20:37:12

YAY for the white hats!

cc333 · 2015-08-31 06:28:16

ClassicHasClass wrote:

Tobias has done some work on a replacement Security framework, but it's only for 10.5.

Do tell! I'm running my MDD with 10.5 as my main desktop Mac right now, and I'd like to get some info on this. Possibly a link as well.

c

ClassicHasClass · 2015-08-31 14:55:41

If you install current versions of Leopard Webkit, it should be included.

techknight · 2015-09-04 00:19:45

You know, I had this funny feeling once websites/corporations started enforcing SSL, more and more, was going to force it to get attacked.

Kinda goes hand-in-hand. the more the public switches to something, the more the hackers are going to attack it.

ThinkClassic

#1 2015-08-29 06:59:37

KCI attacks against TLS

#2 2015-08-29 17:08:52

Re: KCI attacks against TLS

#3 2015-08-29 20:37:12

Re: KCI attacks against TLS

#4 2015-08-31 06:28:16

Re: KCI attacks against TLS

#5 2015-08-31 14:55:41

Re: KCI attacks against TLS

#6 2015-09-04 00:19:45

Re: KCI attacks against TLS

Board footer