Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20141015135519.39227154@pc.my-domain>
Date: Wed, 15 Oct 2014 13:55:19 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: Truly scary SSL 3.0 vuln to be revealed soon:

Am Wed, 15 Oct 2014 11:13:37 +0200
schrieb Pierre Schweitzer <pierre@...ctos.org>:

> It says you can recover plain text of ciphered text, using a specific
> method.
> But, in the end it means you'll have plain text + ciphered text of the
> same text. Does that mean you can easily bruteforce the key that was
> used? So that you can actually, if you logged the complete session,
> decipher the whole session of the user? And not only the cookie?

No.
If you could brute force the key then this would indicate a completely
broken ciphersuite.
We're usually talking about AES or 3DES here. These are considered
reasonably safe.

You only get the cookie. The reason this matters is that cookies often
contain a secure token that is used to indicate the session. So you can
takeover a session e.g. for a mailaccount.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.