[EMAIL PROTECTED] writes: > > > This means that it is safer for senior managers in a company to > > > communicate using private ADSL Internet connections to their desktops > > > rather than using a corporate LAN. > > > > Afraid not. The timing attack is an attack on the SSL server. > > So as long as the SSL server is accessible at all, the attack > > can be mounted. And once the private key is recovered, then > > you no longer need LAN access. > > While the timing attack is the attack against the SSL server, it is my > reading of the paper that the attacks' success largely depends on ability to > tightly control the time it takes to communicate with a service using SSL. > Currently, such control is rather difficult to achive on links other than > ethernet. Quite so. What I meant here was that as long as Ethernet access is provided to the server at all, having your own traffic sent over a non-Ethernet link doesn't protect you.
-Ekr -- [Eric Rescorla [EMAIL PROTECTED] http://www.rtfm.com/