Re: [TLS] Rizzo claims implementation attach, should be interesting

Yoav Nir <> Tue, 20 September 2011 04:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1B20821F86F6 for <>; Mon, 19 Sep 2011 21:10:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.393
X-Spam-Status: No, score=-10.393 tagged_above=-999 required=5 tests=[AWL=0.206, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gnmFV3Ixmg7H for <>; Mon, 19 Sep 2011 21:10:28 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E226321F85B1 for <>; Mon, 19 Sep 2011 21:10:27 -0700 (PDT)
X-CheckPoint: {4E781FC6-3-1B221DC2-FFFF}
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id p8K4COGS019162; Tue, 20 Sep 2011 07:12:25 +0300
Received: from ([]) by ([]) with mapi; Tue, 20 Sep 2011 07:12:25 +0300
From: Yoav Nir <>
To: Marsh Ray <>
Date: Tue, 20 Sep 2011 07:12:23 +0300
Thread-Topic: [TLS] Rizzo claims implementation attach, should be interesting
Thread-Index: Acx3S3+gssyfqBPgRnS2DXCwJXM/Bg==
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Steingruebl Andy <>, "" <>
Subject: Re: [TLS] Rizzo claims implementation attach, should be interesting
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Sep 2011 04:10:29 -0000

On Sep 20, 2011, at 5:31 AM, Marsh Ray wrote:

> On 09/19/2011 07:53 PM, Martin Rex wrote:
> I believe there was a mitigation put in place by OpenSSL: sending an 
> empty (just padding) message before each app data message. The document 
> at suggests that this could be a server-side 
> only change. I don't see how that would work since the session cookie 
> recovery attack is clearly happening on the client->server channel.
> I read somewhere that this mitigation was off by default in OpenSSL 
> because it some software (an old MSIE IIRC).

Yes, Internet Explorer 6 has that problem. Also SSL-using services running under XP.

> Does anyone believe there would be support for a TLS 1.0 Hello extension 
> that could compatibly negotiate the use of empty messages in each 
> direction as a mitigation for this attack?

If you're going to upgrade to a browser that supports the extension, might as well upgrade to IE7. It can deal with the empty fragment.

> I've not been told the details of Duong and Rizzo's attack and haven't 
> seen "the BEAST" in action yet, so I'm not sure if that would be 
> sufficient to fix CBC in TLS 1.0. I am slightly annoyed at these guys 
> for dribbling out the information one hint at a time like this.

A time like what?