Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SSL crack in the news

  • From: Matt Zimmerman
  • Date: Sat Feb 22 17:15:57 2003

On Sat, Feb 22, 2003 at 03:55:14PM -0500, Mark Radabaugh wrote:

> http://www.cnn.com/2003/TECH/internet/02/21/email.encryption.reut/index.html
> 
> Very little real information...

Sounds like a CNN-digested version of CAN-2003-0078, which is a (relatively
minor) bug in OpenSSL which allows for a timing attack.

OpenSSL CHANGES file:
*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
     via timing by performing a MAC computation even if incorrrect
     block cipher padding has been found.  This is a countermeasure
     against active attacks where the attacker has to distinguish
     between bad padding and a MAC verification error. (CAN-2003-0078)

     [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
     Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
     Martin Vuagnoux (EPFL, Ilion)]

CNN:
NEW YORK (Reuters) -- Researchers at a Swiss university have cracked the
technology used to keep people from eavesdropping on e-mail sent over the
Web...

Typical.

-- 
 - mdz




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.