[Ach] openssl again

Aaron Zauner azet at azet.org
Sat Jan 10 11:36:19 CET 2015

L. Aaron Kaplan wrote:
> https://www.openssl.org/news/secadv_20150108.txt
> *sigh*
> quote: "ECDHE silently downgrades to ECDH (...) This effectively removes forward secrecy from the ciphersuite."

It's not pretty but this need an active adversary (MITM) to exploit.
Having played around with that bug a bit: it's not that easy to exploit
(or maybe I'm doing something wrong this time around? :)).

If you're concerned about that, the same OpenSSL security disclosure
also lists a couple of other client problems (that could -- possibly --
be exploited).

My best guess is that their own vulnerability score is pretty accurate
(in comparison to a well known german blogger who, basically, writes
this is a disaster for OpenSSL. Which is -- clearly -- an
overstatement). I'm pretty sure that similar bugs exist in /all/ TLS
implementations, regardless of the language that it has been originally
programmed in or the people maintaining it (props. to the OpenSSL crew
BTW - you guys are doing excellent work!).


> --- 
> // L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
> // CERT Austria - http://www.cert.at/
> // Eine Initiative der nic.at GmbH - http://www.nic.at/
> // Firmenbuchnummer 172568b, LG Salzburg
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150110/f7650afc/attachment.sig>

More information about the Ach mailing list