General discussion area and chat
This General Discussions forum is an open chat area, so you can talk about almost any subject. Please keep things civil, though!
Please do try to somewhat stick to the relevance of this forum, which focuses on everything around the Pale Moon project and its user community. "Totally random" subjects don't really belong here, even in the general discussion area.
- Posts: 65
- Joined: 2019-01-06, 07:59
- Location: From RLG fly heading 053 intercept 315 DVV look for the SAM
https://www.zdnet.com/article/new-tls-e ... r-tls-1-3/
This new downgrade attack --which doesn't have a fancy name like most cryptography attacks tend to have-- works even against the latest version of the TLS protocol, TLS 1.3, released last spring and considered to be secure.
The new cryptographic attack isn't new, per-se. It's yet another variation of the original Bleichenbacher oracle attack.
The original attack was named after Swiss cryptographer Daniel Bleichenbacher, who in 1998 demonstrated a first practical attack against systems using RSA encryption in concert with the PKCS#1 v1 encoding function.
So I use Lets Encrypt, does anyone know if they'll update their libraries and Comodo's?
E pur si muove.
All problems in the universe have a solution no matter how complicated.
- Keeps coming back
- Posts: 910
- Joined: 2018-06-08, 17:02
many hardware and software vendors across the years have misinterpreted or failed to follow to the letter of the law
What do they say, the devil is in the details.
- Pale Moon guru
- Posts: 23234
- Joined: 2011-08-28, 17:27
- Location: 58°2'16"N 14°58'31"E
Much ado about nothing.
Side-channel leak attacks will require atypical network traffic to leverage (that will be noticed by server admins easily enough) over extended periods of time. Also, RSA key exchanges are deprecated because they don't have forward secrecy, and are generally not in use any longer, certainly not as preferred cipher suites. TLS 1.3 itself isn't vulnerable, neither are servers that no longer plain old RSA. So you're looking at needing forced downgrade attacks AND lots of connections to even begin exploiting this... while remaining undetected
Then, the following:
Updated versions of all the affected libraries were published concurrently in November 2018, when researchers published an initial draft of their research paper.
So it's already been patched in all libraries for 3 months.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne