Making the rounds, complete w/ sensationalized headline: https://www.theregister.co.uk/2018/06/22/intel_tlbleed_key_data_leak/ … Short version: libgcrypt doesn't follow best practices to avoid side channel leak of keys. Crypto that does (BoringSSL, OpenSSL, BearSSL, maybe others) shouldn't be impacted. Use them, update often.
The clarification actually just creates more confusion. Intel's statement "Software or software libraries [...] written to ensure constant execution time and data independent cache traces should be immune to TLBleed" actually does clarify things substantially.
-
-
I agree that Intel's statement here is accurate and clarifying. I also think it is useful to point out crypto libraries which are written in this way (libgcrypt, based on what I know, is not, BoringSSL and OpenSSL both are).
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I think any confusion stems from disagreement: specifically, whether or not software libraries, such as BoringSSL + OpenSSL, are "written to ensure constant execution time and data independent cache traces."
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.