OpenSSL

• Previous message (by thread): OpenSSL
• Next message (by thread): OpenSSL
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

alex at yuriev.com writes:

> > > This means that it is safer for senior managers in a company to 
> > > communicate using private ADSL Internet connections to their desktops 
> > > rather than using a corporate LAN.
> >
> > Afraid not. The timing attack is an attack on the SSL server. 
> > So as long as the SSL server is accessible at all, the attack
> > can be mounted. And once the private key is recovered, then
> > you no longer need LAN access.
> 
> While the timing attack is the attack against the SSL server, it is my
> reading of the paper that the attacks' success largely depends on ability to
> tightly control the time it takes to communicate with a service using SSL.
> Currently, such control is rather difficult to achive on links other than
> ethernet.
Quite so. What I meant here was that as long as Ethernet access
is provided to the server at all, having your own traffic sent
over a non-Ethernet link doesn't protect you.

-Ekr

-- 
[Eric Rescorla                                   ekr at rtfm.com]
                http://www.rtfm.com/

• Previous message (by thread): OpenSSL
• Next message (by thread): OpenSSL
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]