Posts tagged fault

Last year a new security vulnerability was discovered that allowed an attacker to use a man in a middle attack over SSL secure connection. SSL renegotiation basically  allows an attacker to send some data over secure line, then request SSL renegotiation using victim’s credentials and forwards the rest of the victims request data. This fools the server to believe that entire request came from the victim.

This is not the fault in software implementation but rather the fault in SSL protocol specification. Basically this leaves a lot of applications that use SSL with renegotiation enabled vulnerable to man in the middle attacks. That’s why Mozilla decided to completely disable SSL renegotiation in the next reincarnation of Firefox browser. When you try to access a site  that has SSL renegotiation enabled, you get the following error:

Renegotiation is not allowed on this SSL socket.
(Error code: ssl_error_renegotiation_not_allowed)

To enable SSL renegotiation you need to point your browser to about:config. After confirming that you know what you are doing, you need to search for:

security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref

and set it to true. After this you should be able to access the site.