So just to be clear, no one has ever been owned by BEAST or CRIME in the wild, right? Is it an available attack in any public tools?
-
-
@dguido Yeah. They're interesting bugs to abuse if, say, you owned a particularly great firewall... -
@scarybeasts Rather than making claims like that, I'd like to see evidence. IMHO BEAST et al overexposed relative to their actual risk. -
@dguido There is no claim made.
End of conversation
New conversation -
-
-
@dguido@scarybeasts dude, don't go inecting practicality. It's an awesome crypto flaw even if it never amounts to much. -
@jjarmoc@dguido@scarybeasts maybe awesomer because it's impractical even. Also, awesomer is a perfectly cromuler word. -
@jjarmoc@dguido@scarybeasts and really.. Loads of failed auth tokens inbound?! Detection isn't so hard server side. On the wire, yeah.
End of conversation
New conversation -
-
-
@dguido@scarybeasts with BEAST you can drop the SSL/TLS records, you don't need the server's answer to decrypt cookies. Detection is harderThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.