New TLS encryption-busting attack also impacts the newer TLS 1.3

General discussion and chat (archived)

Moderator: satrow

User avatar
F22 Simpilot
Lunatic
Lunatic
Posts: 276
Joined: 2019-01-06, 07:59
Location: From RLG fly heading 053 intercept 315 DVV look for the SAM

New TLS encryption-busting attack also impacts the newer TLS 1.3

Unread post by F22 Simpilot » 2019-02-10, 09:15

This new downgrade attack --which doesn't have a fancy name like most cryptography attacks tend to have-- works even against the latest version of the TLS protocol, TLS 1.3, released last spring and considered to be secure.

The new cryptographic attack isn't new, per-se. It's yet another variation of the original Bleichenbacher oracle attack.

The original attack was named after Swiss cryptographer Daniel Bleichenbacher, who in 1998 demonstrated a first practical attack against systems using RSA encryption in concert with the PKCS#1 v1 encoding function.
https://www.zdnet.com/article/new-tls-e ... r-tls-1-3/


So I use Lets Encrypt, does anyone know if they'll update their libraries and Comodo's?
If you're that smart and act like a dork, then you're not that smart after all. :geek:

User avatar
therube
Board Warrior
Board Warrior
Posts: 1048
Joined: 2018-06-08, 17:02

Re: New TLS encryption-busting attack also impacts the newer TLS 1.3

Unread post by therube » 2019-02-10, 14:37

many hardware and software vendors across the years have misinterpreted or failed to follow to the letter of the law
What do they say, the devil is in the details.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24230
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: New TLS encryption-busting attack also impacts the newer TLS 1.3

Unread post by Moonchild » 2019-02-10, 15:04

Much ado about nothing.

Side-channel leak attacks will require atypical network traffic to leverage (that will be noticed by server admins easily enough) over extended periods of time. Also, RSA key exchanges are deprecated because they don't have forward secrecy, and are generally not in use any longer, certainly not as preferred cipher suites. TLS 1.3 itself isn't vulnerable, neither are servers that no longer plain old RSA. So you're looking at needing forced downgrade attacks AND lots of connections to even begin exploiting this... while remaining undetected ;-)

Then, the following:
Updated versions of all the affected libraries were published concurrently in November 2018, when researchers published an initial draft of their research paper.
So it's already been patched in all libraries for 3 months.
Yawn.
City of Heroes public server: https://www.moonshard.org/ -- Vote for it on cohservers.com

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

Locked