Hi,
This have been already discussed in the openssl-dev mailing list. Go to
the mailing list archive and take a look at the subject "openssl 1.0.1
and rumors about TLS 1.0 attacks".
To be brief, this attack has been known for 7 years now and OpenSSL
implemented an effective countermeasure against it since version 0.9.6d
(insertion of empty fragments). So, an OpenSSL based web server is
immune from this attack, unless it uses the flag
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.
Links cited in the dev mailing list :
- http://www.openssl.org/~bodo/tls-cbc.txt , section 2.
-
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.61.5887&rep=rep1&type=pdf
: a 2006 paper discribing the attack and the OpenSSL countermeasure.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
On 9/21/2011 4:48 PM, Thomas J. Hruska wrote:
The Register published an article yesterday that some people here
might be interested in on TLS 1.0 being "cracked":
http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
The Register points their Finger of Blame right at OpenSSL.
Of course, a lot of places then blew this out of proportion with
headlines along the lines of, "ZOMG! HTTPS/SSL Intertubes Hacked! i
can haz your internets?!?!"
Right now, no one really knows anything about the "research" that is
supposedly going to be published on Friday.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
