Re: OpenSSL

On Mon, Mar 17, 2003 at 04:39:31AM -0500, [EMAIL PROTECTED] said: > > > More OpenSSL (and SSH) fun. > > http://lists.netsys.com/pipermail/full-disclosure/2003-March/004524.html > AND > http://lists.netsys.com/pipermail/full-disclosure/2003-March/004529.html Fun is about all it comes to. See wha

Re: OpenSSL

In message <[EMAIL PROTECTED]>, Scott Francis writes: > > >Fun is about all it comes to. See what Schneier had to say in the most >recent crypto-gram regarding this hole. > This is a new attack, not the one Schneier was talking about. It's very

Re: OpenSSL

Steve Bellovin wrote: > The only caveat is that their attack currently works on LANs, not WANs, > because they need more precise timing than is generally feasible over the Internet. On the other hand, many of the SSL servers on the web are located in hosting centers, which are LAN-connected to p

Re: OpenSSL

On Mon, Mar 17, 2003 at 12:55:24PM -0500, [EMAIL PROTECTED] said: > In message <[EMAIL PROTECTED]>, Scott Francis writes: > > > > > > >Fun is about all it comes to. See what Schneier had to say in the most > >recent crypto-gram regarding this hole. > >

Re: OpenSSL

> This is a new attack, not the one Schneier was talking about. It's > very elegant work -- they actually implemented an attack that can > recover the long-term private key. The only caveat is that their > attack currently works on LANs, not WANs, because they need more > precise timing than

Re: OpenSSL

[EMAIL PROTECTED] writes: > > This is a new attack, not the one Schneier was talking about. It's > > very elegant work -- they actually implemented an attack that can > > recover the long-term private key. The only caveat is that their > > attack currently works on LANs, not WANs, because th

Re: OpenSSL

> > This means that it is safer for senior managers in a company to > > communicate using private ADSL Internet connections to their desktops > > rather than using a corporate LAN. > > Afraid not. The timing attack is an attack on the SSL server. > So as long as the SSL server is accessible at

Re: OpenSSL

> > While the timing attack is the attack against the SSL server, it is my > reading of the paper that the attacks' success largely depends on ability to > tightly control the time it takes to communicate with a service using SSL. > Currently, such control is rather difficult to achive on links ot

Re: OpenSSL

> > While the timing attack is the attack against the SSL server, it is my > > reading of the paper that the attacks' success largely depends on ability to > > tightly control the time it takes to communicate with a service using SSL. > > Currently, such control is rather difficult to achive on li

Re: OpenSSL

[EMAIL PROTECTED] writes: > > > This means that it is safer for senior managers in a company to > > > communicate using private ADSL Internet connections to their desktops > > > rather than using a corporate LAN. > > > > Afraid not. The timing attack is an attack on the SSL server. > > So as l

RE: OpenSSL

]; [EMAIL PROTECTED] Subject: Re: OpenSSL > > While the timing attack is the attack against the SSL server, it is my > reading of the paper that the attacks' success largely depends on ability to > tightly control the time it takes to communicate with a service using SSL. > Cur

RE: OpenSSL

> MPLS (on its own) gives you jack-squat in terms of delay and jitter. All the > clever queuing can do it for you - but then it can for IP (because its the > same thing!). As Eric stated in his previous message, I have not realized that his point was that even one machine that has an ethernet con

Re: OpenSSL

Note the smiley 10 lines down. You have been had. Pete - Original Message - From: "Matt Ryan" <[EMAIL PROTECTED]> To: "'Petri Helenius'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, March 18, 2003

RE: OpenSSL

PROTECTED]; [EMAIL PROTECTED] Subject: Re: OpenSSL Note the smiley 10 lines down. You have been had. Pete - Original Message - From: "Matt Ryan" <[EMAIL PROTECTED]> To: "'Petri Helenius'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL