New TLS encryption-busting attack also impacts the newer TLS 1.3

General discussion area and chat

Moderator: satrow

Forum rules
This General Discussions forum is an open chat area, so you can talk about almost any subject. Please keep things civil, though!

Please do try to somewhat stick to the relevance of this forum, which focuses on everything around the Pale Moon project and its user community. "Totally random" subjects don't really belong here, even in the general discussion area.
User avatar
F22 Simpilot
Hobby Astronomer
Hobby Astronomer
Posts: 23
Joined: Sun, 06 Jan 2019, 07:59

New TLS encryption-busting attack also impacts the newer TLS 1.3

Unread postby F22 Simpilot » Sun, 10 Feb 2019, 09:15

This new downgrade attack --which doesn't have a fancy name like most cryptography attacks tend to have-- works even against the latest version of the TLS protocol, TLS 1.3, released last spring and considered to be secure.

The new cryptographic attack isn't new, per-se. It's yet another variation of the original Bleichenbacher oracle attack.

The original attack was named after Swiss cryptographer Daniel Bleichenbacher, who in 1998 demonstrated a first practical attack against systems using RSA encryption in concert with the PKCS#1 v1 encoding function.


https://www.zdnet.com/article/new-tls-e ... r-tls-1-3/


So I use Lets Encrypt, does anyone know if they'll update their libraries and Comodo's?

User avatar
therube
Keeps coming back
Keeps coming back
Posts: 802
Joined: Fri, 08 Jun 2018, 17:02

Re: New TLS encryption-busting attack also impacts the newer TLS 1.3

Unread postby therube » Sun, 10 Feb 2019, 14:37

many hardware and software vendors across the years have misinterpreted or failed to follow to the letter of the law

What do they say, the devil is in the details.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 22828
Joined: Sun, 28 Aug 2011, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: New TLS encryption-busting attack also impacts the newer TLS 1.3

Unread postby Moonchild » Sun, 10 Feb 2019, 15:04

Much ado about nothing.

Side-channel leak attacks will require atypical network traffic to leverage (that will be noticed by server admins easily enough) over extended periods of time. Also, RSA key exchanges are deprecated because they don't have forward secrecy, and are generally not in use any longer, certainly not as preferred cipher suites. TLS 1.3 itself isn't vulnerable, neither are servers that no longer plain old RSA. So you're looking at needing forced downgrade attacks AND lots of connections to even begin exploiting this... while remaining undetected ;-)

Then, the following:
Updated versions of all the affected libraries were published concurrently in November 2018, when researchers published an initial draft of their research paper.

So it's already been patched in all libraries for 3 months.
Yawn.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne


Return to “General discussion”

Who is online

Users browsing this forum: 0strodamus and 6 guests