[Ach] [cryptography] new OpenSSL exploitable bug?
noloader at gmail.com
Fri Jun 6 05:22:39 CEST 2014
On Thu, Jun 5, 2014 at 8:17 AM, ianG <iang at iang.org> wrote:
> Another in the rash of weaknesses. This might mean that the fabled many
> eyeballs have opened up?
> An attacker using a carefully crafted handshake can force the use of
> weak keying material in OpenSSL SSL/TLS clients and servers. This can be
> exploited by a Man-in-the-middle (MITM) attack where the attacker can
> decrypt and modify traffic from the attacked client and server.
For others interested in how this affects key bits, Rich Salz pointed
to Adam Langley's write up at
https://www.imperialviolet.org/2014/06/05/earlyccs.html. Its the best
write up I have seen.
More information about the Ach