nanog mailing list archives
RE: SSL crack in the news
From: "St. Clair, James" <JStClair () vredenburg com>
Date: Sat, 22 Feb 2003 17:33:37 -0500
Yeah, CNN screwed up the story more than they releaed anything.. Jim -----Original Message----- From: Matt Zimmerman To: nanog () merit edu Sent: 2/22/03 5:13 PM Subject: Re: SSL crack in the news On Sat, Feb 22, 2003 at 03:55:14PM -0500, Mark Radabaugh wrote:
http://www.cnn.com/2003/TECH/internet/02/21/email.encryption.reut/index. html
Very little real information...
Sounds like a CNN-digested version of CAN-2003-0078, which is a (relatively minor) bug in OpenSSL which allows for a timing attack. OpenSSL CHANGES file: *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked via timing by performing a MAC computation even if incorrrect block cipher padding has been found. This is a countermeasure against active attacks where the attacker has to distinguish between bad padding and a MAC verification error. (CAN-2003-0078) [Bodo Moeller; problem pointed out by Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion)] CNN: NEW YORK (Reuters) -- Researchers at a Swiss university have cracked the technology used to keep people from eavesdropping on e-mail sent over the Web... Typical. -- - mdz
Current thread:
- SSL crack in the news Mark Radabaugh (Feb 22)
- Re: SSL crack in the news Lucy E. Lynch (Feb 22)
- Re: SSL crack in the news Matt Zimmerman (Feb 22)
- Re: SSL crack in the news Eric Rescorla (Feb 22)
- <Possible follow-ups>
- RE: SSL crack in the news St. Clair, James (Feb 22)