As of Feb 12th, the solution for the TLS renegotiation man-in-the-middle attack is an official IETF standard:
http://tools.ietf.org/html/rfc5746
I’m super happy and excited as this is the first RFC I am a co-author of and it fixes a major problem with one of the most widely used security protocols. Now let’s hope it will get quickly implemented, deployed, and eventually enforced.
It’s been a while since I last checked any news or used a computer. I was away for more than a month spending time with our new baby daughter and almost completely disconnected from the tubes of the net.
Now that I’m back, I wanted to point to a patch from Microsoft that allows admins to disable TLS renegotiation on both the client and the server side. The security advisory is 977377 and MSRC has published a blog post with a bit more details.
The new RFC that will outline the changes needed to the TLS protocol to fix the problem is almost there and should be out “real soon now”.