To sum up what I've learned until now:
- There are workarounds that openssl implements, but major applications
(including apache) disable them, so they're mostly worthless
- All workarounds on AES-CBC have problems, chrome and firefox discuss
how to handle it, the only real fix is TLS 1.1/1.2
On Tue, Sep 20, 2011 at 08:37:35PM +0200, Richard Könning wrote:
Please read http://www.openssl.org/~bodo/tls-cbc.txt, problem #2.
You then see that the problem is already addressed in OpenSSL
0.9.6d, over seven years ago. See also
Richard Könning wrote:
Am 20.09.2011 13:19, schrieb Hanno Böck:
It seems some rumors are spreading about an attack presented later this
week against sslv3/tlsv1.0:
http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
Whatever this attack looks like in detail, all news one can
Am 20.09.2011 22:31, schrieb Hanno Böck:
Am Tue, 20 Sep 2011 20:37:35 +0200
schrieb Richard Könningrichard.koenn...@ts.fujitsu.com:
Please read http://www.openssl.org/~bodo/tls-cbc.txt, problem #2. You
then see that the problem is already addressed in OpenSSL 0.9.6d,
over seven years ago. See
Hi,
It seems some rumors are spreading about an attack presented later this
week against sslv3/tlsv1.0:
http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
Whatever this attack looks like in detail, all news one can find at the
moment suggest that only sslv3/tls 1.0 is affected
Am 20.09.2011 13:19, schrieb Hanno Böck:
It seems some rumors are spreading about an attack presented later this
week against sslv3/tlsv1.0:
http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
Whatever this attack looks like in detail, all news one can find at the
moment suggest