Sniffen Packets

With a name like Sniffen, it's got to smell good.

OpenSSL DSA vulnerability understates risk

The recent vulnerability in OpenSSL’s verification of DSA signatures is big news. Both OpenSSL’s advisory and the OS vendors’ notices I’ve seen say that this affects clients of particular servers:
Everyone using OpenSSL releases prior to 0.9.8j as an SSL/TLS client when connecting to a server whose certificate contains a DSA or ECDSA key.

Remember, the adversary controls the server. End-user browsers contain a few DSA certificate authorities. For the same reason that Verisign CA’s customers were vulnerable to the MD5 substitution vulnerability—even though only RapidSSL had the problem—this is really a man-in-the-middle attack on SSL and TLS generally.