From: Hiroshi Nakamura Date: 2011-09-26T16:51:38+09:00 Subject: [ruby-core:39727] Re: [Ruby 1.9 - Bug #5353] TLS v1.0 and less - Attack on CBC mode -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/24/2011 08:44 PM, Martin Bosslet wrote: > http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html > http://www.imperialviolet.org/2011/09/23/chromeandbeast.html > > From what I understand this is really sweet, instead of trying to guess a > whole block at a time they play with block boundaries so that they effectively > only have to guess one byte at a time instead of let's say 16. Agreed. Wise and pragmatic :) > And it looks like turning off SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS really does > prevent this kind of attack, too. But then again, as nahi already hinted at, > mounting this kind of attack requires quite some sophistication, usually there > are often easier ways for an attacker. Some fix needed especially for clients but for now it should be fixed at client side, and we should wait how OpenSSL treats this issue. I would say that it's not a blocker for 1.9.3. > An interesting approach that wouldn't break compatibility seems to be what > is currently investigated for Chrome: > > http://codereview.chromium.org/7621002 > > Instead of sending a totally empty first record they send one with exactly one > byte to get the same effect of randomizing the IV. Yeah, if I understand the attack correctly, with this vulnerability, an attacker can try to guess a plain text only as the first block of CBC chain. And the above NSS patch reduces the range to 1 byte, and OpenSSL's empty fragment patch reduces it to 0 byte. It's wise and pragmatic, too. :) I wish the 1-byte patch is proven to be safe from compatibility point of view... // NaHi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJOgC8DAAoJEC7N6P3yLbI2Du8H/A88MBS3BCdDFjDzWtWgfntY 5keNOMZZ+Z5syTKURtCLRqRHrMfvqizdfB83oSVsDXnkwTSacGW2OYKX59z6HezO Hf7rap9oznlFmXjUw0YsJOVuNOL3NYbKzeK/O8Ycn//YeIw7ZQNPsB0vg4vgzwaZ RVaEpss13WWRl3M0IfQ+wl9vHbCnL1kgJmc+Q+vYQ/cUW0k4RBEWrXZ9IQUk97+8 42GS/ZRWl8nRK0VEVAYBY/zdD9oukdbwhW+cxol5Sx4blRgVyB6uoqpevd8rXliU h8jo7NEDx6o/HxgT4Jy/20CD5aHrT7N42ZumE8P0jgM0m5IiR+6++IYfcMvznWg= =84SS -----END PGP SIGNATURE-----