Re: Audit: don't only focus on heartbleed issue

[Hanno Böck <hanno () hboeck de>]

On Wed, 16 Apr 2014 18:10:15 +0800
Shawn <citypw () gmail com> wrote:

> I do believe Lucky-thirteen is far
> more dangerous than heartbleed, we just don't know.

I'd really like to hear some arguments to back that claim.
Basically, Lucky13 is a protocol problem and thus the fix is a bit less
obvious than for heartbleed.

But appart from that: Lucky thirteen only poses a threat if you can
capture insane amounts of the same data encrypted. I never saw any
scenario where I thought this is really a practical threat.
"Getting the private key and other random stuff from Server's memory"
definitely is.

I am all for fixing things like BEAST and Lucky13 and I hope we can
soon all switch to either AES-GCM or AES-CBC with the hopefully soon
released Encrypt-then-MAC extension. But we should keep perspectives:
Heartbleed is a big problem, Lucky Thirteen is minor in comparison.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: signature.asc
Description:

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/