I didn't write exploit code at the time because this attack only works when the sequence of instructions bring executed depends on sensitive information; and if that's the case you're already leaking information in many other ways (code cache, data cache, branch prediction...).
-
-
Also, the constant-time "fix" for Lucky13/LuckyMinus20 is really only a partial mitigation. To the extent it is a serious issue for an application, one should avoid CBC cipher suites in TLS and more generally avoid bad uses of CBC mode like that. (The *ring* approach, so far.)
-
(The application should avoid the CBC cipher suites completely because generally it can't assume the peer it is communicating with even bothered to fix Lucky13 or BEAST or any other issue related to CBC cipher suites in TLS.)
-
We're about to take CBC out of s2n's default set, it's finally, finally, small enough a percentage of traffic to be viable. Curiously RC4 and 3DES each went much faster.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.