nanog mailing list archives

Re: OpenSSL

From: Eric Rescorla <ekr () rtfm com>
Date: 18 Mar 2003 07:48:10 -0800


alex () yuriev com writes:

This means that it is safer for senior managers in a company to 
communicate using private ADSL Internet connections to their desktops 
rather than using a corporate LAN.


Afraid not. The timing attack is an attack on the SSL server. 
So as long as the SSL server is accessible at all, the attack
can be mounted. And once the private key is recovered, then
you no longer need LAN access.


While the timing attack is the attack against the SSL server, it is my
reading of the paper that the attacks' success largely depends on ability to
tightly control the time it takes to communicate with a service using SSL.
Currently, such control is rather difficult to achive on links other than
ethernet.

Quite so. What I meant here was that as long as Ethernet access
is provided to the server at all, having your own traffic sent
over a non-Ethernet link doesn't protect you.

-Ekr

-- 
[Eric Rescorla                                   ekr () rtfm com]
                http://www.rtfm.com/

Current thread:

OpenSSL Len Rose (Mar 17)
- Re: OpenSSL Scott Francis (Mar 17)
  - Re: OpenSSL Steven M. Bellovin (Mar 17)
    - Re: OpenSSL Scott Francis (Mar 17)
- <Possible follow-ups>
- Re: OpenSSL Stewart, William C (Bill), SALES (Mar 17)
- Re: OpenSSL Michael . Dillon (Mar 18)
  - Re: OpenSSL Eric Rescorla (Mar 18)
    - Re: OpenSSL alex (Mar 18)
    - Re: OpenSSL Petri Helenius (Mar 18)
    - Re: OpenSSL alex (Mar 18)
    - Re: OpenSSL Eric Rescorla (Mar 18)
- RE: OpenSSL Matt Ryan (Mar 18)
  - RE: OpenSSL alex (Mar 18)
  - Re: OpenSSL Petri Helenius (Mar 18)
- RE: OpenSSL Matt Ryan (Mar 19)