[56058] in North American Network Operators' Group
RE: SSL crack in the news
daemon@ATHENA.MIT.EDU (St. Clair, James)
Sat Feb 22 17:29:44 2003
From: "St. Clair, James" <JStClair@vredenburg.com>
To: "'nanog@merit.edu '" <nanog@merit.edu>
Date: Sat, 22 Feb 2003 17:33:37 -0500
Errors-To: owner-nanog-outgoing@merit.edu
Yeah, CNN screwed up the story more than they releaed anything..
Jim
-----Original Message-----
From: Matt Zimmerman
To: nanog@merit.edu
Sent: 2/22/03 5:13 PM
Subject: Re: SSL crack in the news
On Sat, Feb 22, 2003 at 03:55:14PM -0500, Mark Radabaugh wrote:
>
http://www.cnn.com/2003/TECH/internet/02/21/email.encryption.reut/index.
html
>
> Very little real information...
Sounds like a CNN-digested version of CAN-2003-0078, which is a
(relatively
minor) bug in OpenSSL which allows for a timing attack.
OpenSSL CHANGES file:
*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
via timing by performing a MAC computation even if incorrrect
block cipher padding has been found. This is a countermeasure
against active attacks where the attacker has to distinguish
between bad padding and a MAC verification error. (CAN-2003-0078)
[Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
Martin Vuagnoux (EPFL, Ilion)]
CNN:
NEW YORK (Reuters) -- Researchers at a Swiss university have cracked the
technology used to keep people from eavesdropping on e-mail sent over
the
Web...
Typical.
--
- mdz
