-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/24/2011 08:44 PM, Martin Bosslet wrote:
> http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
> http://www.imperialviolet.org/2011/09/23/chromeandbeast.html
> 
> From what I understand this is really sweet, instead of trying to guess a
> whole block at a time they play with block boundaries so that they effectively
> only have to guess one byte at a time instead of let's say 16.

Agreed. Wise and pragmatic :)

> And it looks like turning off SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS really does
> prevent this kind of attack, too. But then again, as nahi already hinted at,
> mounting this kind of attack requires quite some sophistication, usually there
> are often easier ways for an attacker.

Some fix needed especially for clients but for now it should be fixed at
client side, and we should wait how OpenSSL treats this issue.

I would say that it's not a blocker for 1.9.3.

> An interesting approach that wouldn't break compatibility seems to be what
> is currently investigated for Chrome:
> 
> http://codereview.chromium.org/7621002
> 
> Instead of sending a totally empty first record they send one with exactly one
> byte to get the same effect of randomizing the IV.

Yeah, if I understand the attack correctly, with this vulnerability, an
attacker can try to guess a plain text only as the first block of CBC
chain. And the above NSS patch reduces the range to 1 byte, and
OpenSSL's empty fragment patch reduces it to 0 byte. It's wise and
pragmatic, too. :) I wish the 1-byte patch is proven to be safe from
compatibility point of view...

// NaHi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJOgC8DAAoJEC7N6P3yLbI2Du8H/A88MBS3BCdDFjDzWtWgfntY
5keNOMZZ+Z5syTKURtCLRqRHrMfvqizdfB83oSVsDXnkwTSacGW2OYKX59z6HezO
Hf7rap9oznlFmXjUw0YsJOVuNOL3NYbKzeK/O8Ycn//YeIw7ZQNPsB0vg4vgzwaZ
RVaEpss13WWRl3M0IfQ+wl9vHbCnL1kgJmc+Q+vYQ/cUW0k4RBEWrXZ9IQUk97+8
42GS/ZRWl8nRK0VEVAYBY/zdD9oukdbwhW+cxol5Sx4blRgVyB6uoqpevd8rXliU
h8jo7NEDx6o/HxgT4Jy/20CD5aHrT7N42ZumE8P0jgM0m5IiR+6++IYfcMvznWg=
=84SS
-----END PGP SIGNATURE-----