New TLS encryption-busting attack also impacts the newer TLS 1.3

General discussion and chat (archived)
John connor

New TLS encryption-busting attack also impacts the newer TLS 1.3

Unread post by John connor » 2019-02-10, 09:15

This new downgrade attack --which doesn't have a fancy name like most cryptography attacks tend to have-- works even against the latest version of the TLS protocol, TLS 1.3, released last spring and considered to be secure.

The new cryptographic attack isn't new, per-se. It's yet another variation of the original Bleichenbacher oracle attack.

The original attack was named after Swiss cryptographer Daniel Bleichenbacher, who in 1998 demonstrated a first practical attack against systems using RSA encryption in concert with the PKCS#1 v1 encoding function.
https://www.zdnet.com/article/new-tls-e ... r-tls-1-3/


So I use Lets Encrypt, does anyone know if they'll update their libraries and Comodo's?

User avatar
therube
Board Warrior
Board Warrior
Posts: 1650
Joined: 2018-06-08, 17:02

Re: New TLS encryption-busting attack also impacts the newer TLS 1.3

Unread post by therube » 2019-02-10, 14:37

many hardware and software vendors across the years have misinterpreted or failed to follow to the letter of the law
What do they say, the devil is in the details.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35473
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: New TLS encryption-busting attack also impacts the newer TLS 1.3

Unread post by Moonchild » 2019-02-10, 15:04

Much ado about nothing.

Side-channel leak attacks will require atypical network traffic to leverage (that will be noticed by server admins easily enough) over extended periods of time. Also, RSA key exchanges are deprecated because they don't have forward secrecy, and are generally not in use any longer, certainly not as preferred cipher suites. TLS 1.3 itself isn't vulnerable, neither are servers that no longer plain old RSA. So you're looking at needing forced downgrade attacks AND lots of connections to even begin exploiting this... while remaining undetected ;-)

Then, the following:
Updated versions of all the affected libraries were published concurrently in November 2018, when researchers published an initial draft of their research paper.
So it's already been patched in all libraries for 3 months.
Yawn.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked