| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20140416202021.38b2703c@hboeck.de>
Date: Wed, 16 Apr 2014 20:20:21 +0200
From: Hanno Böck <hanno@...eck.de>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Audit: don't only focus on heartbleed issue
On Wed, 16 Apr 2014 18:10:15 +0800
Shawn <citypw@...il.com> wrote:
> I do believe Lucky-thirteen is far
> more dangerous than heartbleed, we just don't know.
I'd really like to hear some arguments to back that claim.
Basically, Lucky13 is a protocol problem and thus the fix is a bit less
obvious than for heartbleed.
But appart from that: Lucky thirteen only poses a threat if you can
capture insane amounts of the same data encrypted. I never saw any
scenario where I thought this is really a practical threat.
"Getting the private key and other random stuff from Server's memory"
definitely is.
I am all for fixing things like BEAST and Lucky13 and I hope we can
soon all switch to either AES-GCM or AES-CBC with the hopefully soon
released Encrypt-then-MAC extension. But we should keep perspectives:
Heartbleed is a big problem, Lucky Thirteen is minor in comparison.
--
Hanno Böck
http://hboeck.de/
mail/jabber: hanno@...eck.de
GPG: BBB51E42
Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists