<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article09_11_16_2327230</id>
	<title>SSL Renegotiation Attack Becomes Real</title>
	<author>kdawson</author>
	<datestamp>1258371000000</datestamp>
	<htmltext>rastos1 and several other readers noted that the <a href="https://it.slashdot.org/story/09/11/05/144252/Man-In-the-Middle-Vulnerability-For-SSL-and-TLS">SSL vulnerability</a> we discussed a couple of weeks back, which some researchers had claimed was too theoretical to worry about, <a href="http://www.theregister.co.uk/2009/11/14/ssl\_renegotiation\_bug\_exploited/">has now been demonstrated by exploit</a>. The attack description is available on <a href="http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability-cve.html">securegoose.org</a>. <i>"A Turkish grad student has devised a serious, real-world attack on Twitter that targeted a recently discovered vulnerability in the SSL protocol. The exploit by Anil Kurmus is significant because it successfully targeted the so-called SSL renegotiation bug to steal Twitter login credentials that passed through encrypted data streams. All in all, a man in the middle is able to steal the credentials of a user authenticating himself through HTTPS to a trusted website."</i></htmltext>
<tokenext>rastos1 and several other readers noted that the SSL vulnerability we discussed a couple of weeks back , which some researchers had claimed was too theoretical to worry about , has now been demonstrated by exploit .
The attack description is available on securegoose.org .
" A Turkish grad student has devised a serious , real-world attack on Twitter that targeted a recently discovered vulnerability in the SSL protocol .
The exploit by Anil Kurmus is significant because it successfully targeted the so-called SSL renegotiation bug to steal Twitter login credentials that passed through encrypted data streams .
All in all , a man in the middle is able to steal the credentials of a user authenticating himself through HTTPS to a trusted website .
"</tokentext>
<sentencetext>rastos1 and several other readers noted that the SSL vulnerability we discussed a couple of weeks back, which some researchers had claimed was too theoretical to worry about, has now been demonstrated by exploit.
The attack description is available on securegoose.org.
"A Turkish grad student has devised a serious, real-world attack on Twitter that targeted a recently discovered vulnerability in the SSL protocol.
The exploit by Anil Kurmus is significant because it successfully targeted the so-called SSL renegotiation bug to steal Twitter login credentials that passed through encrypted data streams.
All in all, a man in the middle is able to steal the credentials of a user authenticating himself through HTTPS to a trusted website.
"</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124774</id>
	<title>Re:Kinda bad summary</title>
	<author>Anonymous</author>
	<datestamp>1258382460000</datestamp>
	<modclass>Funny</modclass>
	<modscore>3</modscore>
	<htmltext><p><div class="quote"><p>The only reason it was exploitable was because of Twitter's API. Understandably, I'm not too worried about the rest of the Internet going down in flames any time soon.</p></div><p>Well I'm not doing my banking on Twitter anymore that's for sure !</p></div>
	</htmltext>
<tokenext>The only reason it was exploitable was because of Twitter 's API .
Understandably , I 'm not too worried about the rest of the Internet going down in flames any time soon.Well I 'm not doing my banking on Twitter anymore that 's for sure !</tokentext>
<sentencetext>The only reason it was exploitable was because of Twitter's API.
Understandably, I'm not too worried about the rest of the Internet going down in flames any time soon.Well I'm not doing my banking on Twitter anymore that's for sure !
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123856</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124606</id>
	<title>Not worried, fixed already</title>
	<author>Anonymous</author>
	<datestamp>1258380780000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>1</modscore>
	<htmltext><p>"Fortunately a version of OpenSSL (0.9.8l) is available which disables renegotiation, which is appropriate for most applications. According to Mr. Kurmu, Twitter seems to have already applied it. Have you?"</p><p><a href="http://blogs.iss.net/archive/stealingcookieswiths.html" title="iss.net">http://blogs.iss.net/archive/stealingcookieswiths.html</a> [iss.net]</p><p>Unless I'm missing something, I need not worry about the wife, or myself.  We both have OpenSSL 0.9.8 but I ain't sure WHAT my sons are using.  Windows XP probably doesn't use SSL.</p><p>Oh well - I'll just warn them one more time NOT to do internet banking on their Windows machines, and warn as well that their SSL connections may be vulnerable.</p></htmltext>
<tokenext>" Fortunately a version of OpenSSL ( 0.9.8l ) is available which disables renegotiation , which is appropriate for most applications .
According to Mr. Kurmu , Twitter seems to have already applied it .
Have you ?
" http : //blogs.iss.net/archive/stealingcookieswiths.html [ iss.net ] Unless I 'm missing something , I need not worry about the wife , or myself .
We both have OpenSSL 0.9.8 but I ai n't sure WHAT my sons are using .
Windows XP probably does n't use SSL.Oh well - I 'll just warn them one more time NOT to do internet banking on their Windows machines , and warn as well that their SSL connections may be vulnerable .</tokentext>
<sentencetext>"Fortunately a version of OpenSSL (0.9.8l) is available which disables renegotiation, which is appropriate for most applications.
According to Mr. Kurmu, Twitter seems to have already applied it.
Have you?
"http://blogs.iss.net/archive/stealingcookieswiths.html [iss.net]Unless I'm missing something, I need not worry about the wife, or myself.
We both have OpenSSL 0.9.8 but I ain't sure WHAT my sons are using.
Windows XP probably doesn't use SSL.Oh well - I'll just warn them one more time NOT to do internet banking on their Windows machines, and warn as well that their SSL connections may be vulnerable.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123750</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30127430</id>
	<title>Twitter is serious</title>
	<author>CrashandDie</author>
	<datestamp>1258458960000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I can't help but smile at the title and subtitle of TFA:<p><div class="quote"><p>Researcher busts into Twitter via SSL reneg hole<br>
Yes, it's a serious vuln</p></div><p>So now we assess the gravity of the situation based on Twitter? Awsm.</p></div>
	</htmltext>
<tokenext>I ca n't help but smile at the title and subtitle of TFA : Researcher busts into Twitter via SSL reneg hole Yes , it 's a serious vulnSo now we assess the gravity of the situation based on Twitter ?
Awsm .</tokentext>
<sentencetext>I can't help but smile at the title and subtitle of TFA:Researcher busts into Twitter via SSL reneg hole
Yes, it's a serious vulnSo now we assess the gravity of the situation based on Twitter?
Awsm.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30125780</id>
	<title>Re:Debian Linux</title>
	<author>Anonymous</author>
	<datestamp>1258392900000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>yes i just updated, and now the certificates i have all look the same.


diff
+//return random
-return(randomFoo() );
+return(4);</htmltext>
<tokenext>yes i just updated , and now the certificates i have all look the same .
diff + //return random -return ( randomFoo ( ) ) ; + return ( 4 ) ;</tokentext>
<sentencetext>yes i just updated, and now the certificates i have all look the same.
diff
+//return random
-return(randomFoo() );
+return(4);</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124856</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124046</id>
	<title>Re:Kinda bad summary</title>
	<author>Culture20</author>
	<datestamp>1258377060000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>He did it by injecting text that instructed Twitter's application protocol interface to dump the contents of the web request into a Twitter message after they had been decrypted.</p></div><p>What's to prevent inserting text that essentially says make this request, and use the same password string to change the user's password?  Not all malicious uses of the injection need to be about *getting* data.  It doesn't even have to be kids having "fun".  Locking a particular [set of] user[s] out of a financial system at a critical time in a financial transaction might benefit someone in organized crime.</p></div>
	</htmltext>
<tokenext>He did it by injecting text that instructed Twitter 's application protocol interface to dump the contents of the web request into a Twitter message after they had been decrypted.What 's to prevent inserting text that essentially says make this request , and use the same password string to change the user 's password ?
Not all malicious uses of the injection need to be about * getting * data .
It does n't even have to be kids having " fun " .
Locking a particular [ set of ] user [ s ] out of a financial system at a critical time in a financial transaction might benefit someone in organized crime .</tokentext>
<sentencetext>He did it by injecting text that instructed Twitter's application protocol interface to dump the contents of the web request into a Twitter message after they had been decrypted.What's to prevent inserting text that essentially says make this request, and use the same password string to change the user's password?
Not all malicious uses of the injection need to be about *getting* data.
It doesn't even have to be kids having "fun".
Locking a particular [set of] user[s] out of a financial system at a critical time in a financial transaction might benefit someone in organized crime.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123856</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123856</id>
	<title>Kinda bad summary</title>
	<author>Anonymous</author>
	<datestamp>1258375980000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>Important part of the article:</p><blockquote><div><p>He did it by injecting text that instructed Twitter's application protocol interface to dump the contents of the web request into a Twitter message after they had been decrypted.</p></div></blockquote><p>The only reason it was exploitable was because of Twitter's API. Understandably, I'm not too worried about the rest of the Internet going down in flames any time soon.</p></div>
	</htmltext>
<tokenext>Important part of the article : He did it by injecting text that instructed Twitter 's application protocol interface to dump the contents of the web request into a Twitter message after they had been decrypted.The only reason it was exploitable was because of Twitter 's API .
Understandably , I 'm not too worried about the rest of the Internet going down in flames any time soon .</tokentext>
<sentencetext>Important part of the article:He did it by injecting text that instructed Twitter's application protocol interface to dump the contents of the web request into a Twitter message after they had been decrypted.The only reason it was exploitable was because of Twitter's API.
Understandably, I'm not too worried about the rest of the Internet going down in flames any time soon.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123750</id>
	<title>Don't worry.  It'll be fixed soon.</title>
	<author>John Hasler</author>
	<datestamp>1258375380000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>As will the next one.  And the one after that, and the one after that...</p></htmltext>
<tokenext>As will the next one .
And the one after that , and the one after that.. .</tokentext>
<sentencetext>As will the next one.
And the one after that, and the one after that...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124996</id>
	<title>Hackers</title>
	<author>thenextstevejobs</author>
	<datestamp>1258384500000</datestamp>
	<modclass>Redundant</modclass>
	<modscore>1</modscore>
	<htmltext>Hack the planet!!</htmltext>
<tokenext>Hack the planet !
!</tokentext>
<sentencetext>Hack the planet!
!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30130762</id>
	<title>Here's the thing...</title>
	<author>mea37</author>
	<datestamp>1258481640000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Don't get me wrong, I think the initial "this isn't a practical problem" response to the SSL reneg vulnerability is a serious mistake.  A major facet of security is <i>knowing what the system is doing</i>; if the system is doing something unexpected that none of the legitimate users can anticipate, then there is a potential for severe security problems.  This is one of the big reasons why I wish people who think "it works so I don't have to know why" would leave the programming industry and do something more suited to that way of thinking.</p><p>HOWEVER, the people who should be really embarrased from a security standpoint are twitter.  Why does their API have a function <i>that causes the user's password to be written to <b>anywhere</b> in cleartext?!?<i>  That's just bat-shit crazy.  And as I understand it their workaround is to disable reneg instead of addressing the application-level problem?  (If they'd done both, I'd say the response were at least on the ball...)</i></i></p><p><i><i>To be clear - if there's a feature of twitter that depends on writing out user credentials in cleartext, feel free to enlighten me; but my response will assuredly be "then that feature is not worth the risk and should not exist".</i></i></p></htmltext>
<tokenext>Do n't get me wrong , I think the initial " this is n't a practical problem " response to the SSL reneg vulnerability is a serious mistake .
A major facet of security is knowing what the system is doing ; if the system is doing something unexpected that none of the legitimate users can anticipate , then there is a potential for severe security problems .
This is one of the big reasons why I wish people who think " it works so I do n't have to know why " would leave the programming industry and do something more suited to that way of thinking.HOWEVER , the people who should be really embarrased from a security standpoint are twitter .
Why does their API have a function that causes the user 's password to be written to anywhere in cleartext ? ! ?
That 's just bat-shit crazy .
And as I understand it their workaround is to disable reneg instead of addressing the application-level problem ?
( If they 'd done both , I 'd say the response were at least on the ball... ) To be clear - if there 's a feature of twitter that depends on writing out user credentials in cleartext , feel free to enlighten me ; but my response will assuredly be " then that feature is not worth the risk and should not exist " .</tokentext>
<sentencetext>Don't get me wrong, I think the initial "this isn't a practical problem" response to the SSL reneg vulnerability is a serious mistake.
A major facet of security is knowing what the system is doing; if the system is doing something unexpected that none of the legitimate users can anticipate, then there is a potential for severe security problems.
This is one of the big reasons why I wish people who think "it works so I don't have to know why" would leave the programming industry and do something more suited to that way of thinking.HOWEVER, the people who should be really embarrased from a security standpoint are twitter.
Why does their API have a function that causes the user's password to be written to anywhere in cleartext?!?
That's just bat-shit crazy.
And as I understand it their workaround is to disable reneg instead of addressing the application-level problem?
(If they'd done both, I'd say the response were at least on the ball...)To be clear - if there's a feature of twitter that depends on writing out user credentials in cleartext, feel free to enlighten me; but my response will assuredly be "then that feature is not worth the risk and should not exist".</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124786</id>
	<title>SSL Renegotiation Attacks...</title>
	<author>Shadyman</author>
	<datestamp>1258382520000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Shut. Down. EVERYTHING.</htmltext>
<tokenext>Shut .
Down. EVERYTHING .</tokentext>
<sentencetext>Shut.
Down. EVERYTHING.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123746</id>
	<title>Time for some much needed</title>
	<author>Anonymous</author>
	<datestamp>1258375380000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>FUD!!!!</p></htmltext>
<tokenext>FUD ! ! !
!</tokentext>
<sentencetext>FUD!!!
!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124006</id>
	<title>Change in password/auth policy</title>
	<author>asdf7890</author>
	<datestamp>1258376940000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Time to switch our systems to using challenge-response auth even when the entire site is carried over SSL...</p><p>Of course that means having to store passwords in a for that the server-side code can decode them, which is itself generally a no-no...</p><p>Anyone have good ideas for authentication mechanisms that can't be circumvented by this and similar hacks?</p></htmltext>
<tokenext>Time to switch our systems to using challenge-response auth even when the entire site is carried over SSL...Of course that means having to store passwords in a for that the server-side code can decode them , which is itself generally a no-no...Anyone have good ideas for authentication mechanisms that ca n't be circumvented by this and similar hacks ?</tokentext>
<sentencetext>Time to switch our systems to using challenge-response auth even when the entire site is carried over SSL...Of course that means having to store passwords in a for that the server-side code can decode them, which is itself generally a no-no...Anyone have good ideas for authentication mechanisms that can't be circumvented by this and similar hacks?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123796</id>
	<title>Sweet honeypot revenge</title>
	<author>Anonymous</author>
	<datestamp>1258375560000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Oh the deliciousness of it all</p></htmltext>
<tokenext>Oh the deliciousness of it all</tokentext>
<sentencetext>Oh the deliciousness of it all</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124846</id>
	<title>Securing Servers</title>
	<author>StartCom</author>
	<datestamp>1258383300000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>4</modscore>
	<htmltext><p>Obviously such attacks are possible because of the application security, renegotiation just makes it easier. BTW, here is a tool to check if your server is vulnerable to renegotiation attacks: <a href="https://www.ssllabs.com/ssldb/" title="ssllabs.com" rel="nofollow">https://www.ssllabs.com/ssldb/</a> [ssllabs.com]</p><p>BTW, clients (e.g. browsers) are pretty save - there is NO need to panic!!</p></htmltext>
<tokenext>Obviously such attacks are possible because of the application security , renegotiation just makes it easier .
BTW , here is a tool to check if your server is vulnerable to renegotiation attacks : https : //www.ssllabs.com/ssldb/ [ ssllabs.com ] BTW , clients ( e.g .
browsers ) are pretty save - there is NO need to panic !
!</tokentext>
<sentencetext>Obviously such attacks are possible because of the application security, renegotiation just makes it easier.
BTW, here is a tool to check if your server is vulnerable to renegotiation attacks: https://www.ssllabs.com/ssldb/ [ssllabs.com]BTW, clients (e.g.
browsers) are pretty save - there is NO need to panic!
!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30125134</id>
	<title>Christmas gift.shoes,handbags,ugg boot,Tshirts,</title>
	<author>coolforsale107</author>
	<datestamp>1258385940000</datestamp>
	<modclass>Offtopic</modclass>
	<modscore>-1</modscore>
	<htmltext><a href="http://www.coolforsale.com/" title="coolforsale.com" rel="nofollow">http://www.coolforsale.com/</a> [coolforsale.com] Best quality, Best reputation , Best services Our commitment, customer is God. Quality is our Dignity; Service is our Lift. Ladies and Gentlemen weicome to my coolforsale.com.Here,there are the most fashion products . Pass by but don't miss it.Select your favorite clothing! Welcome to come next time ! Thank you! Air jordan(1-24)shoes $33 Nike shox(R4,NZ,OZ,TL1,TL2,TL3) $35 Handbags(Coach lv fendi d&amp;g) $35 Tshirts (Polo<nobr> <wbr></nobr>,ed hardy,lacoste) $16 free shipping competitive price any size available accept the paypal Thanks</htmltext>
<tokenext>http : //www.coolforsale.com/ [ coolforsale.com ] Best quality , Best reputation , Best services Our commitment , customer is God .
Quality is our Dignity ; Service is our Lift .
Ladies and Gentlemen weicome to my coolforsale.com.Here,there are the most fashion products .
Pass by but do n't miss it.Select your favorite clothing !
Welcome to come next time !
Thank you !
Air jordan ( 1-24 ) shoes $ 33 Nike shox ( R4,NZ,OZ,TL1,TL2,TL3 ) $ 35 Handbags ( Coach lv fendi d&amp;g ) $ 35 Tshirts ( Polo ,ed hardy,lacoste ) $ 16 free shipping competitive price any size available accept the paypal Thanks</tokentext>
<sentencetext>http://www.coolforsale.com/ [coolforsale.com] Best quality, Best reputation , Best services Our commitment, customer is God.
Quality is our Dignity; Service is our Lift.
Ladies and Gentlemen weicome to my coolforsale.com.Here,there are the most fashion products .
Pass by but don't miss it.Select your favorite clothing!
Welcome to come next time !
Thank you!
Air jordan(1-24)shoes $33 Nike shox(R4,NZ,OZ,TL1,TL2,TL3) $35 Handbags(Coach lv fendi d&amp;g) $35 Tshirts (Polo ,ed hardy,lacoste) $16 free shipping competitive price any size available accept the paypal Thanks</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123932</id>
	<title>Good explanation of the bug by TLS spec author</title>
	<author>cullenfluffyjennings</author>
	<datestamp>1258376580000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>5</modscore>
	<htmltext><p>A good source of info about what this attack is and how serious it is can be found at<br><a href="http://www.educatedguesswork.org/2009/11/understanding\_the\_tls\_renegoti.html" title="educatedguesswork.org">http://www.educatedguesswork.org/2009/11/understanding\_the\_tls\_renegoti.html</a> [educatedguesswork.org]</p></htmltext>
<tokenext>A good source of info about what this attack is and how serious it is can be found athttp : //www.educatedguesswork.org/2009/11/understanding \ _the \ _tls \ _renegoti.html [ educatedguesswork.org ]</tokentext>
<sentencetext>A good source of info about what this attack is and how serious it is can be found athttp://www.educatedguesswork.org/2009/11/understanding\_the\_tls\_renegoti.html [educatedguesswork.org]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30133202</id>
	<title>Security Dude</title>
	<author>codeedog</author>
	<datestamp>1258490040000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>The fundamental problem is that the password (or its material) is sent through the encrypted SSL channel instead of being integrated into it.  The SSL negotiation should use the password to (re)generate the shared secret.  If the server doesn't have the password (or password derived bits), it won't be able to communicate with the client.  Similarly for the client.  Why does this matter?  A Man In The Middle attack is more difficult to stage because the client can detect that the middle man has no knowledge of the password during the secret key negotiation phase.  It is still possible for the MITM to guess the key (at chance) and depending upon the protocol, the MITM might be able to extract information about the password that allows better than chance guessing; this all depends upon the design of the protocol.

There are plenty of protocols out there both freely available and patented that solve this problem.  The patent for Encrypted Diffie Hellman has just expired and ought to be used by everyone, now.  The problem is that SSL hardware accelerators won't work as expected, since they take the server key and pass the client credentials (password or its derived material) back to the application server for login.  With an updated (more secure system), the password verifiers will have to be pushed down into the hardware accelerators, which means the hardware accelerator will have to "know" about the users, keep a user database.  IT nightmare.  Plus, that accelerator is sitting at the network edge, so you've got all of the user/password verifier info residing in close proximity to the internet (and hackers).

I still think it's better than sending your password (material, verifier) over a channel to a remote server.  Anyone can be tricked into doing it.</htmltext>
<tokenext>The fundamental problem is that the password ( or its material ) is sent through the encrypted SSL channel instead of being integrated into it .
The SSL negotiation should use the password to ( re ) generate the shared secret .
If the server does n't have the password ( or password derived bits ) , it wo n't be able to communicate with the client .
Similarly for the client .
Why does this matter ?
A Man In The Middle attack is more difficult to stage because the client can detect that the middle man has no knowledge of the password during the secret key negotiation phase .
It is still possible for the MITM to guess the key ( at chance ) and depending upon the protocol , the MITM might be able to extract information about the password that allows better than chance guessing ; this all depends upon the design of the protocol .
There are plenty of protocols out there both freely available and patented that solve this problem .
The patent for Encrypted Diffie Hellman has just expired and ought to be used by everyone , now .
The problem is that SSL hardware accelerators wo n't work as expected , since they take the server key and pass the client credentials ( password or its derived material ) back to the application server for login .
With an updated ( more secure system ) , the password verifiers will have to be pushed down into the hardware accelerators , which means the hardware accelerator will have to " know " about the users , keep a user database .
IT nightmare .
Plus , that accelerator is sitting at the network edge , so you 've got all of the user/password verifier info residing in close proximity to the internet ( and hackers ) .
I still think it 's better than sending your password ( material , verifier ) over a channel to a remote server .
Anyone can be tricked into doing it .</tokentext>
<sentencetext>The fundamental problem is that the password (or its material) is sent through the encrypted SSL channel instead of being integrated into it.
The SSL negotiation should use the password to (re)generate the shared secret.
If the server doesn't have the password (or password derived bits), it won't be able to communicate with the client.
Similarly for the client.
Why does this matter?
A Man In The Middle attack is more difficult to stage because the client can detect that the middle man has no knowledge of the password during the secret key negotiation phase.
It is still possible for the MITM to guess the key (at chance) and depending upon the protocol, the MITM might be able to extract information about the password that allows better than chance guessing; this all depends upon the design of the protocol.
There are plenty of protocols out there both freely available and patented that solve this problem.
The patent for Encrypted Diffie Hellman has just expired and ought to be used by everyone, now.
The problem is that SSL hardware accelerators won't work as expected, since they take the server key and pass the client credentials (password or its derived material) back to the application server for login.
With an updated (more secure system), the password verifiers will have to be pushed down into the hardware accelerators, which means the hardware accelerator will have to "know" about the users, keep a user database.
IT nightmare.
Plus, that accelerator is sitting at the network edge, so you've got all of the user/password verifier info residing in close proximity to the internet (and hackers).
I still think it's better than sending your password (material, verifier) over a channel to a remote server.
Anyone can be tricked into doing it.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30127306</id>
	<title>One of the key parts</title>
	<author>trifish</author>
	<datestamp>1258457160000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>From TFA: "To be sure, Kurmus's attack only worked because Twitter's API allowed him to post the captured data steam to a tweet that he was then able to retrieve."</p></htmltext>
<tokenext>From TFA : " To be sure , Kurmus 's attack only worked because Twitter 's API allowed him to post the captured data steam to a tweet that he was then able to retrieve .
"</tokentext>
<sentencetext>From TFA: "To be sure, Kurmus's attack only worked because Twitter's API allowed him to post the captured data steam to a tweet that he was then able to retrieve.
"</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123780</id>
	<title>3rd link says it is not MITM but CSRF</title>
	<author>Anonymous</author>
	<datestamp>1258375500000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>And has already been patched on twitters end last week.</p></htmltext>
<tokenext>And has already been patched on twitters end last week .</tokentext>
<sentencetext>And has already been patched on twitters end last week.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30127992</id>
	<title>hmmmmm</title>
	<author>nimbius</author>
	<datestamp>1258467600000</datestamp>
	<modclass>Funny</modclass>
	<modscore>3</modscore>
	<htmltext>looks like we're all well and truly fucked.  <br> <br>Microsoft should have a patch in about 8 years, Apple will have lashed its developers until there are no further utterances of this problem, Adobe will ask what model phone does it affect, Oracle will ship another box of stupid mugs and tshirts to me as soon as I complain about the vulnerability, Dell will insist i continue to wait for the DRAC to load its SSL page, and i think most importantly my bank will have little, if ANY clue what im talking about.<br> <br>
I need about, say, a million open source eyes on this problem.  Gentlemen, the internet appears broken and im offering beer to fix it.</htmltext>
<tokenext>looks like we 're all well and truly fucked .
Microsoft should have a patch in about 8 years , Apple will have lashed its developers until there are no further utterances of this problem , Adobe will ask what model phone does it affect , Oracle will ship another box of stupid mugs and tshirts to me as soon as I complain about the vulnerability , Dell will insist i continue to wait for the DRAC to load its SSL page , and i think most importantly my bank will have little , if ANY clue what im talking about .
I need about , say , a million open source eyes on this problem .
Gentlemen , the internet appears broken and im offering beer to fix it .</tokentext>
<sentencetext>looks like we're all well and truly fucked.
Microsoft should have a patch in about 8 years, Apple will have lashed its developers until there are no further utterances of this problem, Adobe will ask what model phone does it affect, Oracle will ship another box of stupid mugs and tshirts to me as soon as I complain about the vulnerability, Dell will insist i continue to wait for the DRAC to load its SSL page, and i think most importantly my bank will have little, if ANY clue what im talking about.
I need about, say, a million open source eyes on this problem.
Gentlemen, the internet appears broken and im offering beer to fix it.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124844</id>
	<title>Re:Just one phrase that fits.</title>
	<author>fractoid</author>
	<datestamp>1258383300000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>And this person is called Anil Kurmus. I'm not sure what a Kurmus is but I'd prefer not to take one anilly.</htmltext>
<tokenext>And this person is called Anil Kurmus .
I 'm not sure what a Kurmus is but I 'd prefer not to take one anilly .</tokentext>
<sentencetext>And this person is called Anil Kurmus.
I'm not sure what a Kurmus is but I'd prefer not to take one anilly.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123804</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30125304</id>
	<title>Re:The sky is falling</title>
	<author>John Hasler</author>
	<datestamp>1258387440000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>&gt;<nobr> <wbr></nobr>...it's hard to know what sites to trust.</p><p>None.  The Web is inherently insecure.</p></htmltext>
<tokenext>&gt; ...it 's hard to know what sites to trust.None .
The Web is inherently insecure .</tokentext>
<sentencetext>&gt; ...it's hard to know what sites to trust.None.
The Web is inherently insecure.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124782</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124782</id>
	<title>The sky is falling</title>
	<author>LBt1st</author>
	<datestamp>1258382520000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>It would be nice if FireFox updated with detection for sites that would allow this (and other) kinds of attacks.<br>With shit like this in the wild it's hard to know what sites to trust.<nobr> <wbr></nobr>/Paranoid</p></htmltext>
<tokenext>It would be nice if FireFox updated with detection for sites that would allow this ( and other ) kinds of attacks.With shit like this in the wild it 's hard to know what sites to trust .
/Paranoid</tokentext>
<sentencetext>It would be nice if FireFox updated with detection for sites that would allow this (and other) kinds of attacks.With shit like this in the wild it's hard to know what sites to trust.
/Paranoid</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123644</id>
	<title>Just one phrase that fits.</title>
	<author>palegray.net</author>
	<datestamp>1258374780000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>Holy crap, that sucks.</htmltext>
<tokenext>Holy crap , that sucks .</tokentext>
<sentencetext>Holy crap, that sucks.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123838</id>
	<title>Testing times</title>
	<author>Wowsers</author>
	<datestamp>1258375800000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>No doubt some government somewhere around the world will use this to grab as much information as possible before the exploit is patched.</htmltext>
<tokenext>No doubt some government somewhere around the world will use this to grab as much information as possible before the exploit is patched .</tokentext>
<sentencetext>No doubt some government somewhere around the world will use this to grab as much information as possible before the exploit is patched.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30128512</id>
	<title>This says it all... kinda</title>
	<author>rgviza</author>
	<datestamp>1258471560000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>"every request sent over the microblogging site includes the account holder's username and password"</p><p>Retarded design. However this attack could just as easily be used to dump a session id from a well designed site with the same end result. This is bad bad bad...<br>The attacker could, once in the user's session, change their password and email address and hijack the account.</p></htmltext>
<tokenext>" every request sent over the microblogging site includes the account holder 's username and password " Retarded design .
However this attack could just as easily be used to dump a session id from a well designed site with the same end result .
This is bad bad bad...The attacker could , once in the user 's session , change their password and email address and hijack the account .</tokentext>
<sentencetext>"every request sent over the microblogging site includes the account holder's username and password"Retarded design.
However this attack could just as easily be used to dump a session id from a well designed site with the same end result.
This is bad bad bad...The attacker could, once in the user's session, change their password and email address and hijack the account.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123710</id>
	<title>Well, I suppose thats another Benefit of Twitter..</title>
	<author>Anonymous</author>
	<datestamp>1258375080000</datestamp>
	<modclass>Funny</modclass>
	<modscore>5</modscore>
	<htmltext><p>It's nice to have a Sandbox for testing the latest and greatest hacks and security protocols, where no one cares about the user and/or what information they've posted on the site.</p></htmltext>
<tokenext>It 's nice to have a Sandbox for testing the latest and greatest hacks and security protocols , where no one cares about the user and/or what information they 've posted on the site .</tokentext>
<sentencetext>It's nice to have a Sandbox for testing the latest and greatest hacks and security protocols, where no one cares about the user and/or what information they've posted on the site.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124856</id>
	<title>Debian Linux</title>
	<author>jchawk</author>
	<datestamp>1258383300000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>For what its worth Debian released an update to Apache and guidance on how to mitigate the vulnerability.</p><p>They did indicate that this was only a work around and a protocol redesign would be required in order to completely fix the vulnerability.</p><p>I wonder how many people just simply aren't paying attention and will get burnt by this problem. I want to believe not many but I honestly know better...</p></htmltext>
<tokenext>For what its worth Debian released an update to Apache and guidance on how to mitigate the vulnerability.They did indicate that this was only a work around and a protocol redesign would be required in order to completely fix the vulnerability.I wonder how many people just simply are n't paying attention and will get burnt by this problem .
I want to believe not many but I honestly know better.. .</tokentext>
<sentencetext>For what its worth Debian released an update to Apache and guidance on how to mitigate the vulnerability.They did indicate that this was only a work around and a protocol redesign would be required in order to completely fix the vulnerability.I wonder how many people just simply aren't paying attention and will get burnt by this problem.
I want to believe not many but I honestly know better...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123804</id>
	<title>Re:Just one phrase that fits.</title>
	<author>von\_rick</author>
	<datestamp>1258375620000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>And the person who publicised the security flaw did a great job by trying it out on Twitter (and mentioning it). Hopefully this will make people tweet a tad bit lesser.</p><p>In the interim, its quite necessary to patch the SSL protocol to avoid these kind of attacks.</p></htmltext>
<tokenext>And the person who publicised the security flaw did a great job by trying it out on Twitter ( and mentioning it ) .
Hopefully this will make people tweet a tad bit lesser.In the interim , its quite necessary to patch the SSL protocol to avoid these kind of attacks .</tokentext>
<sentencetext>And the person who publicised the security flaw did a great job by trying it out on Twitter (and mentioning it).
Hopefully this will make people tweet a tad bit lesser.In the interim, its quite necessary to patch the SSL protocol to avoid these kind of attacks.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123644</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30126516</id>
	<title>Re:The sky is falling</title>
	<author>LBt1st</author>
	<datestamp>1258401480000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I agree, hence why I use a whitelist to prevent sites from using any scripting on my machine. I even whitelist cookie usage. But this exploit is on a whole new level.</p></htmltext>
<tokenext>I agree , hence why I use a whitelist to prevent sites from using any scripting on my machine .
I even whitelist cookie usage .
But this exploit is on a whole new level .</tokentext>
<sentencetext>I agree, hence why I use a whitelist to prevent sites from using any scripting on my machine.
I even whitelist cookie usage.
But this exploit is on a whole new level.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30125304</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30125906</id>
	<title>Re:Just one phrase that fits.</title>
	<author>Anonymous</author>
	<datestamp>1258393980000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>I prefer:<br> <br>"We're boned" - Bender Bending Rodriguez</htmltext>
<tokenext>I prefer : " We 're boned " - Bender Bending Rodriguez</tokentext>
<sentencetext>I prefer: "We're boned" - Bender Bending Rodriguez</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123644</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124086</id>
	<title>That, or . . .</title>
	<author>Tanman</author>
	<datestamp>1258377360000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>they'll just keep posting reading those state secrets right off the spy's twitter . . . yeaaaaaaah.</p></htmltext>
<tokenext>they 'll just keep posting reading those state secrets right off the spy 's twitter .
. .
yeaaaaaaah .</tokentext>
<sentencetext>they'll just keep posting reading those state secrets right off the spy's twitter .
. .
yeaaaaaaah.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123838</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123900</id>
	<title>Re:Kinda bad summary</title>
	<author>Anonymous</author>
	<datestamp>1258376280000</datestamp>
	<modclass>Offtopic</modclass>
	<modscore>-1</modscore>
	<htmltext><p><div class="quote"><p>Understandably, I'm not too worried about [everything but Twitter] going down in flames any time soon.</p></div><p>Did someone mention 'having a party'?</p></div>
	</htmltext>
<tokenext>Understandably , I 'm not too worried about [ everything but Twitter ] going down in flames any time soon.Did someone mention 'having a party ' ?</tokentext>
<sentencetext>Understandably, I'm not too worried about [everything but Twitter] going down in flames any time soon.Did someone mention 'having a party'?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123856</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30125616</id>
	<title>Re:The sky is falling</title>
	<author>Anonymous</author>
	<datestamp>1258390980000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>It would be far nicer if Godzilla attacked FireFox and completely destroyed it since it is nothing more than a steaming stinking pile of poop.</p></htmltext>
<tokenext>It would be far nicer if Godzilla attacked FireFox and completely destroyed it since it is nothing more than a steaming stinking pile of poop .</tokentext>
<sentencetext>It would be far nicer if Godzilla attacked FireFox and completely destroyed it since it is nothing more than a steaming stinking pile of poop.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124782</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124840</id>
	<title>Twitter?</title>
	<author>Punto</author>
	<datestamp>1258383240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Nothing of value was lost.</p></htmltext>
<tokenext>Nothing of value was lost .</tokentext>
<sentencetext>Nothing of value was lost.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124452</id>
	<title>Re:Change in password/auth policy</title>
	<author>ToasterMonkey</author>
	<datestamp>1258379760000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Time to switch our systems to using challenge-response auth even when the entire site is carried over SSL...</p></div><p>Umm..  most sites don't use SSL for authentication (client certificates), so I don't know what you're implying.  Authentication aside, you still have the equally serious loss of integrity that comes with broken crypto.</p></div>
	</htmltext>
<tokenext>Time to switch our systems to using challenge-response auth even when the entire site is carried over SSL...Umm.. most sites do n't use SSL for authentication ( client certificates ) , so I do n't know what you 're implying .
Authentication aside , you still have the equally serious loss of integrity that comes with broken crypto .</tokentext>
<sentencetext>Time to switch our systems to using challenge-response auth even when the entire site is carried over SSL...Umm..  most sites don't use SSL for authentication (client certificates), so I don't know what you're implying.
Authentication aside, you still have the equally serious loss of integrity that comes with broken crypto.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124006</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123960</id>
	<title>Kinda bad article</title>
	<author>Virak</author>
	<datestamp>1258376700000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>4</modscore>
	<htmltext><p>Well, I suppose it's my own fault for trusting The Register. After reading the first article, I got curious and went on to check out the technical details of the exploit. What The Register phrases as "it's Twitter's API's fault" is actually "holy fuck you can POST the whole HTTP message to arbitrary locations (hosted on the same server, anyway)", which is a tad bit worse. While the Internet still isn't going to go down in flames, this <i>does</i> open up potential for some sites to get some nasty burns, and in a way they almost surely won't already be protected against, even if the developers aren't idiots.</p></htmltext>
<tokenext>Well , I suppose it 's my own fault for trusting The Register .
After reading the first article , I got curious and went on to check out the technical details of the exploit .
What The Register phrases as " it 's Twitter 's API 's fault " is actually " holy fuck you can POST the whole HTTP message to arbitrary locations ( hosted on the same server , anyway ) " , which is a tad bit worse .
While the Internet still is n't going to go down in flames , this does open up potential for some sites to get some nasty burns , and in a way they almost surely wo n't already be protected against , even if the developers are n't idiots .</tokentext>
<sentencetext>Well, I suppose it's my own fault for trusting The Register.
After reading the first article, I got curious and went on to check out the technical details of the exploit.
What The Register phrases as "it's Twitter's API's fault" is actually "holy fuck you can POST the whole HTTP message to arbitrary locations (hosted on the same server, anyway)", which is a tad bit worse.
While the Internet still isn't going to go down in flames, this does open up potential for some sites to get some nasty burns, and in a way they almost surely won't already be protected against, even if the developers aren't idiots.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123856</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123914</id>
	<title>What to do?</title>
	<author>whathappenedtomonday</author>
	<datestamp>1258376400000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>3</modscore>
	<htmltext>I wondered how this will be addressed and the numerous "it will be fixed, don't worry" posts were not really helpful. TFA was and linked to "a TLS extension to cryptographically tie renegotiations to the TLS connections they are being performed over, thus preventing this attack" <a href="https://datatracker.ietf.org/drafts/draft-rescorla-tls-renegotiation/" title="ietf.org">draft</a> [ietf.org].</htmltext>
<tokenext>I wondered how this will be addressed and the numerous " it will be fixed , do n't worry " posts were not really helpful .
TFA was and linked to " a TLS extension to cryptographically tie renegotiations to the TLS connections they are being performed over , thus preventing this attack " draft [ ietf.org ] .</tokentext>
<sentencetext>I wondered how this will be addressed and the numerous "it will be fixed, don't worry" posts were not really helpful.
TFA was and linked to "a TLS extension to cryptographically tie renegotiations to the TLS connections they are being performed over, thus preventing this attack" draft [ietf.org].</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124038</id>
	<title>theregoestheinternet? Not so fast!</title>
	<author>Anonymous</author>
	<datestamp>1258377060000</datestamp>
	<modclass>Flamebait</modclass>
	<modscore>0</modscore>
	<htmltext><p>FTFA:</p><blockquote><div><p>Most, if not all, major web applications have implementation level protections against CSRF, such as random nonces in web forms that must be submitted along with any request. Those protection measures are effective against this new SSL man in the middle attack. Therefore, this vulnerability has minimal security impact for most websites and Internet users.</p></div></blockquote><p>I know this is<nobr> <wbr></nobr>/., but come on and at least check when it's a claim as big as "theregoestheinternet."</p></div>
	</htmltext>
<tokenext>FTFA : Most , if not all , major web applications have implementation level protections against CSRF , such as random nonces in web forms that must be submitted along with any request .
Those protection measures are effective against this new SSL man in the middle attack .
Therefore , this vulnerability has minimal security impact for most websites and Internet users.I know this is /. , but come on and at least check when it 's a claim as big as " theregoestheinternet .
"</tokentext>
<sentencetext>FTFA:Most, if not all, major web applications have implementation level protections against CSRF, such as random nonces in web forms that must be submitted along with any request.
Those protection measures are effective against this new SSL man in the middle attack.
Therefore, this vulnerability has minimal security impact for most websites and Internet users.I know this is /., but come on and at least check when it's a claim as big as "theregoestheinternet.
"
	</sentencetext>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_16_2327230_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124774
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123856
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_16_2327230_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124046
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123856
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_16_2327230_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30125780
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124856
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_16_2327230_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30126516
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30125304
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124782
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_16_2327230_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124452
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124006
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_16_2327230_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124086
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123838
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_16_2327230_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30125906
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123644
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_16_2327230_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124606
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123750
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_16_2327230_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123960
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123856
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_16_2327230_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124844
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123804
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123644
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_16_2327230_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30125616
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124782
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_11_16_2327230_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123900
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123856
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_16_2327230.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123838
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124086
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_16_2327230.9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124782
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30125616
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30125304
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30126516
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_16_2327230.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123856
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123960
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123900
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124046
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124774
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_16_2327230.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124856
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30125780
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_16_2327230.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123932
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_16_2327230.8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124006
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124452
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_16_2327230.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123644
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30125906
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123804
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124844
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_16_2327230.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124038
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_16_2327230.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123750
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30124606
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_11_16_2327230.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_11_16_2327230.30123710
</commentlist>
</conversation>
