Page 1 of 1
New TLS encryption-busting attack also impacts the newer TLS 1.3
Posted: 2019-02-10, 09:15
by John connor
This new downgrade attack --which doesn't have a fancy name like most cryptography attacks tend to have-- works even against the latest version of the TLS protocol, TLS 1.3, released last spring and considered to be secure.
The new cryptographic attack isn't new, per-se. It's yet another variation of the original Bleichenbacher oracle attack.
The original attack was named after Swiss cryptographer Daniel Bleichenbacher, who in 1998 demonstrated a first practical attack against systems using RSA encryption in concert with the PKCS#1 v1 encoding function.
https://www.zdnet.com/article/new-tls-e ... r-tls-1-3/
So I use Lets Encrypt, does anyone know if they'll update their libraries and Comodo's?
Re: New TLS encryption-busting attack also impacts the newer TLS 1.3
Posted: 2019-02-10, 14:37
by therube
many hardware and software vendors across the years have misinterpreted or failed to follow to the letter of the law
What do they say, the devil is in the details.
Re: New TLS encryption-busting attack also impacts the newer TLS 1.3
Posted: 2019-02-10, 15:04
by Moonchild
Much ado about nothing.
Side-channel leak attacks will require atypical network traffic to leverage (that will be noticed by server admins easily enough) over extended periods of time. Also, RSA key exchanges are deprecated because they don't have forward secrecy, and are generally not in use any longer, certainly not as preferred cipher suites. TLS 1.3 itself isn't vulnerable, neither are servers that no longer plain old RSA. So you're looking at needing forced downgrade attacks AND lots of connections to even begin exploiting this... while remaining undetected
Then, the following:
Updated versions of all the affected libraries were published concurrently in November 2018, when researchers published an initial draft of their research paper.
So it's already been patched in all libraries for 3 months.
Yawn.