I've been reading through Oppliger's "SSL and TLS: Theory and Practice" and am finding it all rather fascinating. Anyway, I was curious about this known vulnerability, referenced in RFC5746:
http://tools.ietf.org/html/rfc5746
I also found this Mozilla document released a year or so ago:
https://wiki.mozilla.org/Security:Renegotiation
In it they lament about the fact that this known vulnerability (concerning SSL/TLS negotiation) has an available fix, but almost none of the major Web sites utilizing HTTPS have implemented it on their servers. I reactivated the fail safes and warning built into Firefox (which are now disabled by default), and discovered that both my on-line banking application and my favorite e-commerce site are not using the updated renegotiation extension.
So, naturally I am curious: Have hackers (crackers) ever exploited this vulnerability? Is it practically possible for them to do so? How hard would it be?