North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: OpenSSL
- From: Eric Rescorla
- Date: Tue Mar 18 10:44:50 2003
alex@yuriev.com writes:
> > > This means that it is safer for senior managers in a company to
> > > communicate using private ADSL Internet connections to their desktops
> > > rather than using a corporate LAN.
> >
> > Afraid not. The timing attack is an attack on the SSL server.
> > So as long as the SSL server is accessible at all, the attack
> > can be mounted. And once the private key is recovered, then
> > you no longer need LAN access.
>
> While the timing attack is the attack against the SSL server, it is my
> reading of the paper that the attacks' success largely depends on ability to
> tightly control the time it takes to communicate with a service using SSL.
> Currently, such control is rather difficult to achive on links other than
> ethernet.
Quite so. What I meant here was that as long as Ethernet access
is provided to the server at all, having your own traffic sent
over a non-Ethernet link doesn't protect you.
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/
|
