[duskwuff]

This seems like a pretty... weak vulnerability.

Sure -- you can send an SSL server a bunch of junk data, and it'll try to process that data. But from what I gather, it's not as though it takes an unusually long time for it to process these warnings either. Any attacker with the resources to perform this attack could probably just as easily saturate the host's network connection without involving SSL at all.

[dogma1138]

Not necessarily, DoS is all about asymmetry if it's 1:1 then yeah but if this only requires a handful of packets to cause the same resource exhaustion as 1000s or 10000s of normal SSL sessions then this is an issue.

You can't bring a site down from your phone normally if there is a CPU eating bug on the other hand you can.

[duskwuff]

Right, of course. I just don't see any reason that there would be an especially high "multiplier" on this vulnerability. A spurious SSL warning doesn't require the server to do anything particularly expensive; it just requires it to look at the ID, realize it's something weird that it doesn't recognize, and move on.