Conversation

Replying to
I don't understand the comment about CBC_SHA256 having no Lucky13 countermeasures. Is that an implementation choice in Go, or is there something I'm missing about countermeasures not being possible with SHA256?
1
Replying to and
Implementation choice, AFAIK. IIRC agl wrote that cipher suites are not pokemon, you don't need them all, CBC are needed for compatibility with older non-AEAD software, use the older CBC-SHA1 for that. CBC-SHA2 are kinda pointless since HMAC-SHA1 is not broken.
1
Replying to and
The comment doesn't make that clear, and the links given as references don't explain it either. Also, if there's a choice not to implement a necessary countermeasure for a given ciphersuite, shouldn't it be ripped out of the code? Why leave the hazard lying around?
3
Replying to and
I think because it's not a very practical attack and some people need the compatibility to talk to some legacy services. Software that connects to modern things can use PFS+AEAD only. Changing the default for which cipher suites are allowed is probably a major change.
1
Replying to and
In situations where modern AEAD ciphers are available, none of this is relevant. My point here is that the comment as written is confusing and possibly misleading, and should come with stronger "we left a known hazard in here by choice and you should know about it" language.
1
Show replies