Researches have released a paper describing several vulnerabilities in TLS (Transport Layer Security). Some of the attacks have been known for a while, but the paper combines and explains them nicely, and also adds a couple of really clever new ideas. The tricks rely on cutting sessions off and re-starting them in a way that client and server end up with a different (security) state. The full research is available here https://secure-resumption.com/. The good news is that (a) the main impact is apparently limited to connections that use client-side certificates, which is rare, and (b) the researchers have informed the browser vendors early on, and some browsers and TLS libraries are already patched. |
Daniel 377 Posts ISC Handler Mar 4th 2014 |
Thread locked Subscribe |
Mar 4th 2014 6 years ago |
Rare is not unimportant. Client side certificates are important for the more sensitive applications, such as firmware reflashing of modern avionics gear!
|
Moriah 133 Posts |
Quote |
Mar 4th 2014 6 years ago |
Some encryption and authentication certificates are picked up using sessions with client side certificates.
|
G.Scott H. 48 Posts |
Quote |
Mar 7th 2014 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!