So just to be clear, no one has ever been owned by BEAST or CRIME in the wild, right? Is it an available attack in any public tools?
-
@dguido We can't ever know.
@scarybeasts It doesn't sound like anyone gave much thought about detection techniques for these flaws. Might be useful discussion.
-
-
@dguido Yeah. They're interesting bugs to abuse if, say, you owned a particularly great firewall... -
@scarybeasts Rather than making claims like that, I'd like to see evidence. IMHO BEAST et al overexposed relative to their actual risk. - 1 more reply
New conversation -
-
-
@dguido@scarybeasts dude, don't go inecting practicality. It's an awesome crypto flaw even if it never amounts to much. -
@jjarmoc@dguido@scarybeasts maybe awesomer because it's impractical even. Also, awesomer is a perfectly cromuler word. - 1 more reply
New conversation -
-
-
@dguido@scarybeasts with BEAST you can drop the SSL/TLS records, you don't need the server's answer to decrypt cookies. Detection is harderThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.