Making the rounds, complete w/ sensationalized headline: https://www.theregister.co.uk/2018/06/22/intel_tlbleed_key_data_leak/ … Short version: libgcrypt doesn't follow best practices to avoid side channel leak of keys. Crypto that does (BoringSSL, OpenSSL, BearSSL, maybe others) shouldn't be impacted. Use them, update often.
AFAICT the paper isn't available publicly yet so I can't refer to it. NSS and OpenSSL are both using non-data-invariant mitigations even in their master branches today, except in special cases like x25519/Ed25519 and some optimzed x86-64 or 64-bit-only P-256 implementations.
-
-
@agl__ to comment about non-data-invariant side channel mitigation still being relied on in OpenSSL. If that's the case (for either of these libs) we should definitely work on fixing it. -
BTW, if you are interested in these things then you should check out copy_to_prebuf/copy_from_prebuf in these libs (and *ring* too) which attempt to thread the needle.
End of conversation
New conversation -
-
-
(Yeah, all of this will hopefully be more clear when fully available. But since leaked I'm trying to avoid complete panic.)
-
FWIW the above article warns more than once not to panic – it's mostly a cool attack. I'm hoping the paper is made public soon.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.