Preamble :

During my research on TLS/SSL Compatibility across different Operation Systems and Browsers I created supporting tools for myself and later decided to release them for the public.

"SSL Audit" remotely scans web servers for SSL support - unlike other tools it is not limited to ciphers supported by underlying SSL engines such as "OpenSSL" or "NSS" but can detect cipher suites based on it's own (simplistic) SSL/TLS engine. As a gimmick it features an innovative Fingerprinting engine that is based on behavioral heuristics.

Final release for my paper explaining the different attack vectors and impacts for (CVE-2009-3555) "TLS / SSL renegotiation vulnerability".

  • Added comments and corrections by Alun Jones (Who I hereby thank for his time)
  • Changed FTPS description
  • Better PDF output
I profit from the update to stress particular impacts that seem to be forgotten about, in addition to the plain-text injection described everywhere (Please refer to the paper to know more)

Additional Impacts
  • Potentially allows to downgrade from HTTPS to HTTP (à la SSLstrip)
  • Potentially allows to inject XSS into Trace requests
Available Tools (2011)
I have been delighted by the interest given to this paper at the time, the paper is referenced by the US-CERT, DFN-CERT, BELNET-CERT, SWITCH-cert, Nessus, Qualys, c't Heise and the book "IPhone and IOS Forensics: Investigation, Analysis and Mobile Security" covers the analysis on Page 110

Download "TLS/SSL Session Renegotiation Vulnerability Explained"

A colleague of mine spotted the below while doing expenses - The photograph below shows two separate receipts from two parking buildings that are not far away from each other in central Luxembourg (est. 1km). Both were paid by credit card / debit card.

Update:  Bruce Schneier thoughts on this matter