

Sotirov and Applebaum's (redacted) Internet vulnerability, published tomorrow at CCC - tptacek
http://events.ccc.de/congress/2008/Fahrplan/events/3023.en.html

======
tptacek
Getting sick of Internet-ending vulnerabilities yet? Of course not! Especially
when there's a redacted abstract to pick apart and guess on!

A slice of context: neither Sotirov nor Applebaum would bank their reputations
on a publicity stunt; they're both well-respected.

Is it SSL? Then why does the redacted text say " _even_ so-called secure...".
Is it a js/DOM issue? Then what's the word "infrastructure" doing there?

I'm feeling mildly Thawte about this. The attack was impractical before,
exploits known weaknesses, but is possible now that [redacted], and leaves a
criminal in possession of something. Known weaknesses that haven't been probed
well feels maybe RNG-y. Maybe you can request a zillion personal Thawte certs
and bust a pool of entropy.

------
tptacek
Some more interesting context, this time by HD Moore from
Metasploit/Breakingpoint:

[http://www.breakingpointsystems.com/community/blog/Attacking...](http://www.breakingpointsystems.com/community/blog/Attacking-
Critical-Internet-Infrastructure)

------
mad
Some more hints: <http://events.ccc.de/2008/12/30/the-cat-is-out-of-the-bag/>

------
brl
Prepare to be astonished.

