TLS / SSLv3 renegotiation vulnerability explained

Back in September, a vulnerability in the way we encrypt was found and quietly discussed in the security community.  It was a vulnerability that would allow malicious attackers to inject data into an encrypted conversation, thus breaking the integrity of the conversation.  When the vulnerability became public in October and mainstream in November, there was a lot of confusion about what was vulnerable, and what the risk was in using this type of encryption.

G-Sec from Luxemburg wrote this paper describing the issue in detail.

http://www.g-sec.lu/practicaltls.pdf

The majority of software vendors have released patches to mitigate this issue, mostly by refusing to allow re-negotiation.  Although this is not an ideal fix, it should help in the meantime.

Thanks,
ep