Yesterday the blogosphere, twittosphere, and other-spheres were abuzz when a new TLS renegotiation man-in-the-middle attack was disclosed.


Interestingly enough, while we were all still reading about it and figuring out all the nuances, one of our own DevCentral members was out implementing a solution.

No, he’s not a vendor with a product to worry about, he’s just a “guy” trying to defend his web site and applications from potential attacks like this one. But he’s a guy with network-side scripting in his arsenal of web application security tools, and with that and his understanding of the very well-documented vulnerability he crafted a solution.

Colin documents the iRule that addresses this vulnerability in his 20LoL post for the week, and so I won’t repost the code. You can also view the forum thread [registration required] in which “Lupo” describes and discusses the solution.

What I love about this solution is not necessarily that it solves a particular vulnerability. That’s awesome, of course, and a great thing but in the coming weeks and months we’ll see a lot of solutions that address this particular vulnerability. What I really love about this solution is the speed with which it was implemented. The vulnerability was disclosed yesterday and Lupo had a solution today, which he generously shared with thousands of others who can immediately put into use the same solution.

A lot of folks talk about agility and how solution X or Y enables organizations to respond rapidly to changing market/business conditions, but rarely do you see as solid an example as this one. From disclosure to solution in one day. That’s agility in action.

UPDATE (12/09/2009): The code referenced in Colin's post and the forums contains a "TCP::close" near the end of the iRule. Based on implementations this needs to be changed to be simply "reject" to avoid causing a problem with core processing.

Follow me on Twitter    View Lori's profile on SlideShare  friendfeed icon_facebook

AddThis Feed Button Bookmark and Share