Hacker tool targets SSL flaw

Hackers have released software that they say allows a single computer to knock servers offline, by targeting a well-documented flaw in secure sockets layer (SSL) implementations, The Register writes.

A German group known as the Hacker's Choice released the tool on Monday, in part to bring attention to what they said were a series of long-running deficiencies in SSL, which Web sites use to prevent social security numbers and other sensitive data from being monitored as they travel between servers and end-user computers.

Computer World points out that even without SSL renegotiation enabled, attackers can still use THC-SSL-DOS successfully against servers. However, such attacks would require more than a single laptop.

"It still works if SSL renegotiation is not supported, but requires some modifications and more bots before an effect can be seen," the group noted. "Taking on larger server farms who make use of SSL load balancers required 20 average size laptops and about 120Kbps of traffic," it added.

According to CSO, THC members demanded industry deliver a replacement to SSL, which has come under attack several times in recent months, most recently by the hackers targeting certificate authorities such as DigiNotar and Comodo.

While no real fix existed to prevent such attacks, the group recommended organisations disable SSL renegotiation and invest in an SSL accelerator.