oss-sec mailing list archives
Re: Apple goto fail - lessons that should be learned
From: Hanno Böck <hanno () hboeck de>
Date: Wed, 26 Nov 2014 21:01:09 +0100
On Wed, 26 Nov 2014 12:34:15 -0500 (EST) "David A. Wheeler" <dwheeler () dwheeler com> wrote:
I've previously done this exercise with: * Heartbleed: http://www.dwheeler.com/essays/heartbleed.html * Shellshock: http://www.dwheeler.com/essays/shellshock.html * POODLE: http://www.dwheeler.com/essays/poodle-sslv3.html
I've written something similar on POODLE (and BERserk), not sure if I posted this here before: https://blog.hboeck.de/archives/858-Dancing-protocols,-POODLEs-and-other-tales-from-TLS.html Not surprisingly I come to somewhat similar conclusions (protocol downgrade protection, encrypt-then-mac etc.) BERserk has somewhat similar problems, e.g. it's basically also a "we don't deprecate weak/old crypto" (PKCS #1 1.5 and RSA with e=3). But the most important conclusion from POODLE is imho: Be very careful with implementing workarounds for broken hard/software - and don't do them if they compromise security. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
_bin
Description: OpenPGP digital signature
Current thread:
- Apple goto fail - lessons that should be learned David A. Wheeler (Nov 26)
- Re: Apple goto fail - lessons that should be learned Hanno Böck (Nov 26)
- Re: Apple goto fail - lessons that should be learned David A. Wheeler (Nov 26)
- Re: Apple goto fail - lessons that should be learned Hanno Böck (Nov 26)