[MashSSL]Microsoft warns of TLS/SSL flaw in Windows

I thought that because this article discussed a weakness caused by client
authentication this group might be interested-
http://arstechnica.com/microsoft/news/2010/02/microsoft-warns-of-tslssl-flaw
-in-windows.ars

 

"Enabling the SSLAlwaysNegoClientCert setting will cause IIS to prompt the
client for a certificate upon the initial connection, and does not require a
server-initiated renegotiation. The downside is that setting this flag will
require the client to authenticate prior to loading any element from the
SSL-protected website and will thus cause the browser to always prompt the
user for a client certificate upon connecting. Alternatively, the company is
offering an update which lets system administrators disable TLS and SSL
renegotiation functionality (available at KB977377
<http://support.microsoft.com/default.aspx/kb/977377> ). Microsoft admits,
however, that renegotiation is required functionality for some applications
so it doesn't recommend that this workaround be used for wide implementation
(and should be tested rigorously before any implementation)."

 

See you on today's call.

 

Ben

Benjamin T. Wilson, JD CISSP 
General Counsel and EVP Industry Relations
DigiCert, Inc.

 <http://www.digicert.com/> Visit DigiCert.com

Online:  <http://www.digicert.com/> www.DigiCert.com
Email:  <mailto:ben@digicert.com> ben@digicert.com
Toll Free: 1-800-896-7973 (US & Canada)
Direct: 1-801-701-9678
Fax: 1-866-842-0223 (Toll Free if calling from the US or Canada) 

  _____  

The information contained in this transmission may contain privileged and
confidential information. It is intended only for the use of the person(s)
named above. If you are not the intended recipient, you are hereby notified
that any review, dissemination, distribution or duplication of this
communication is strictly prohibited. If you are not the intended recipient,
please contact the sender by reply email and destroy all copies of the
original message. Thank You