[cryptography] new OpenSSL exploitable bug?

Jeffrey Walton noloader at gmail.com
Thu Jun 5 23:22:39 EDT 2014


On Thu, Jun 5, 2014 at 8:17 AM, ianG <iang at iang.org> wrote:
> Another in the rash of weaknesses.  This might mean that the fabled many
> eyeballs have opened up?
>
> https://www.openssl.org/news/secadv_20140605.txt
>
> An attacker using a carefully crafted handshake can force the use of
> weak keying material in OpenSSL SSL/TLS clients and servers. This can be
> exploited by a Man-in-the-middle (MITM) attack where the attacker can
> decrypt and  modify traffic from the attacked client and server.
>

For others interested in how this affects key bits, Rich Salz pointed
to Adam Langley's write up at
https://www.imperialviolet.org/2014/06/05/earlyccs.html. Its the best
write up I have seen.

Jeff


More information about the cryptography mailing list