Michael Sierchio <[EMAIL PROTECTED]> writes: > I didn't mean to claim that no one would ever mount such an attack -- > just that there are enormous practical difficulties to getting any > timing results via SSL session key creation.
Not really. The bad scenario is someone breaking in to a poorly secured host on the same wire as the system being attacked or near to it -- there's often something you can find. From there, try constructing a large number of connections -- hundreds of thousands of connections would be be ignored down in the noise on some valuable sites if you spend enough time at it. Some statistical magic, and you suddenly have a leg up on a valuable private key. Perry ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]