From: Hiroshi Nakamura Date: 2011-09-23T09:25:10+09:00 Subject: [ruby-core:39677] Re: [Ruby 1.9 - Bug #5353][Open] TLS v1.0 and less - Attack on CBC mode -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (2011/09/23 1:14), Martin Bosslet wrote: > A well-known vulnerability of TLS v1.0 and earlier has recently > gained some attention: > > http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ I think the thread here would be better than media articles. http://www.ietf.org/mail-archive/web/tls/current/msg08032.html My current BEAST understanding is: "TLS/SSL CBC IV chaining + victim/attacker multiplexed onto a single TLS/SSL connection on Browser (SSL client side) + CPA(Chosen-plaintext Attack)" but we should wait the conference session today. Done already? For existing TLS/SSL + CBC IV vuln issue, I rarely set SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS since clients I write don't allow CPA by attacker. In ossl, when an attacker can have the same SSLSession object with a victim, the attacker can sniff plaintext easier in another way. I do the same for servers. But yeah, using this option correctly must be hard for Ruby users. It would be better to turn the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit off by default. We might get some claims, but we can explain the reason. > What do you propose? Should we solve this before the 1.9.3 release? > Let's wait the session and see how other SSL clients (mainly Browsers) and SSL servers(OpenSSL project) reacts. // NaHi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Cygwin) iQEcBAEBAgAGBQJOe9GyAAoJEC7N6P3yLbI2yGUH/0BWS2Fvzpvuy22ul9uQPyBC Jocp+T+UeuJDZVxf0qzAbl7TLKCH8iVbA16nsy5LmH9Dq41mzJwPn8o0hmCaQXOu UZh8MFp4T9VfDZlIF/3RwYB35amGrrSr5xc4IxQ60o2GhIutiIIrU6ZfrqUG7FJY kEty4pnAba2e4fpwgVlA/1K7R+0QJe37fRhvzQ3DGIIXBNbGso3L8zfCmanck4N2 9hP2ftMyeFhb199+kaB9IKfyYzwKIPlKLRdmAxTOrzllu0INRMzgnUoddHDIbixi B6E1TV2B1Cfh0p07sP3gTZyykaZLQfNuEcxLA6PohHv3asnYEz3ddWZJjGU1lxU= =fwTo -----END PGP SIGNATURE-----