Logjam and Resetting Handshake Timers in Browsers

The logjam paper is available at

Note that the authors were successful in exploiting it in browsers
because they could send an alert warning to reset the handshake timer.
Cf., page 5.

Is this desired behavior?

I generally use 2-MSL as the "rule of thumb" to determine how long an
attacker has to tamper with things. If its possible to use these sorts
of out of band messages to reset timers, then it probably has a
negative effect on the security of the system.


Received on Thursday, 21 May 2015 18:49:48 UTC