W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2013

Lucky 13 TLS Attack...

From: James M Snell <jasnell@gmail.com>
Date: Mon, 4 Feb 2013 21:05:28 -0800
Message-ID: <CABP7Rbcyxg_rj_3pW4sur7Y+Eo-Fb3g+dNzhrxsVeomC9=mA_Q@mail.gmail.com>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Certainly worth a read and relevant to the http/2 work...

  http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

This is certainly an interesting approach to attacking TLS that is based
fundamentally on the amount of time it takes to process specific CBC
ciphertext blocks. There are some definite practical limitations to the
approach that limits its effectiveness but it ought to inform us as to
various traps we need to avoid in other areas. For instance, while reading
this I could not help but wonder if the processing timing associated with
the various compression algorithms could not be used to a similar effect...
particularly as a means of determining what data might already have been
stored in the context. It's something to at least keep in mind moving
forward.
Received on Tuesday, 5 February 2013 05:06:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2013 05:06:17 GMT