OpenSSL
Eric Rescorla
ekr at rtfm.com
Tue Mar 18 15:48:10 UTC 2003
alex at yuriev.com writes:
> > > This means that it is safer for senior managers in a company to
> > > communicate using private ADSL Internet connections to their desktops
> > > rather than using a corporate LAN.
> >
> > Afraid not. The timing attack is an attack on the SSL server.
> > So as long as the SSL server is accessible at all, the attack
> > can be mounted. And once the private key is recovered, then
> > you no longer need LAN access.
>
> While the timing attack is the attack against the SSL server, it is my
> reading of the paper that the attacks' success largely depends on ability to
> tightly control the time it takes to communicate with a service using SSL.
> Currently, such control is rather difficult to achive on links other than
> ethernet.
Quite so. What I meant here was that as long as Ethernet access
is provided to the server at all, having your own traffic sent
over a non-Ethernet link doesn't protect you.
-Ekr
--
[Eric Rescorla ekr at rtfm.com]
http://www.rtfm.com/
More information about the NANOG
mailing list