SSL Flaw Could Have Been Used to Hack Twitter
A flaw in the protocol used to secure communications over the Internet could have been used to hack Twitter accounts. This bug was made known back on November 5th, at that time, it was thought that it would not affect any major web applications, but IBM researcher Tom Cross has recently changed his tune, to one of great concern. The good news is that web sites can simply disable the client renegotiation feature of SSL, which reportedly is what twitter.com has done.
Twitter.com was susceptible to the bug because it did what’s called client renegotiation under SSL. Client renegotiation gives the Web site a way to ask the Twitter user for an SSL certificate after a user is already connected to the site. It’s a useful tool for sites that let users log on using smart cards or for sites that restrict access to a select group of predefined Web surfers, but until the flaw is fixed, client renegotiation also opens the door for SSL attacks.
Comments are closed.