THC members quoted by the IDG News Service said they have known about the flaw since 2008 and for almost as long, have had a more effective way to use it – one that wasn't fixed by the 2010 patch.
They used the technique to participate in the Anonymous-led DDOS attack on MasterCard last year, according to the IDG News Service story.
Rather than trying to steal a password, the THC tool simply sets up an SSL connection, then asks for another certificate.
The process of generating and providing the certificate puts 15 times as much load on the server as on the client, according to the technical-information page on the THC-SSL-DOS tool.
So one client can get a server to use 15 times the memory and CPU cycles to fulfill a request as the client does to send it – a huge improvement compared to DDOS attacks that leave clients working hard to send out one request after another out to servers that are designed to handle such requests much more quickly than a general-purpose client machine.
On a server with SSL Renegotiation enabled, the tool running on just one laptop might be able to bring down a server by itself.
An average server can handle about 300 SSL handshakes per second before redlining. The client-side portion of that load would use 10 percent to 15 percent of an average laptop's capacity, the THC documentation said.
On servers without SSL Renegotiation enabled and load balancers to help protect them, it might take 20 laptops to take down a server farm, according to THC members quoted in the IDG story.
There are no real countermeasures to stop the attacks, except to disable SSL Renegotiation and buy an SSL Accelerator, the THC paper said.
Even those can be avoided by tweaking the code of the tool, however.
"A better solution is desirable," THC's summary concludes. "Somebody should fix this."
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.