researcher demonstrates attack using ssl/tls reneg bug

Via Twitter I see someone has taken the SSL/TLS renegotiation vulnerability and was able to inject enough to get the target to display unencrypted Twitter username/passwd combinations.

This still has some limitations, I imagine. For instance, you’d have to inject into a stream that could post or somehow redirect the unencrypted data, otherwise you’re really not getting anything or going to be able to see anything. Perhaps you can inject something that will affect the user’s browser, but I see that less as the whole attack, and rather more like a way to get in and start doing Bad Things. It’s still only half a big deal. And I’m not even talking yet that you have to be in the middle of the traffic stream.

The article says critics were somewhat dismissive of the bug initially. While that can be true to some degree, I expected it to be somewhat shunned because it is a highly technical bug and not easy to either explain to a journalist or have a journalist properly regurgitate back out for their pub. This is especially true since no one put into layman’s terms what all the techspeak meant.