Researchers Devise New Attack Techniques Against SSL 33
alphadogg writes "The developers of many SSL libraries are releasing patches for a vulnerability that could potentially be exploited to recover plaintext information, such as browser authentication cookies, from encrypted communications.The patching effort follows the discovery of new ways to attack SSL, TLS and DTLS implementations that use cipher-block-chaining (CBC) mode encryption. The new attack methods were developed by researchers at the University of London's Royal Holloway College. The men published a research paper and a website on Monday with detailed information about their new attacks, which they have dubbed the Lucky Thirteen. They've worked with several TLS library vendors, as well as the TLS Working Group of the IETF, to fix the issue."
Could this be the NSA's secret crack? (Score:3, Insightful)
Rumors have been going around for a while that the NSA is able to crack certain forms of SSL or lower-level AES, and their new data center is for a "store now, decrypt later" operation. Could this be what they have?
Re:Could this be the NSA's secret crack? (Score:5, Insightful)
Yes, the NSA has broken AES, which is why all of the encryption standards they use for their secrets are based on it. Beccause, if they can break it, there's no way someone like, I don't know, China could.
I consider myself on the paranoid side of tech, but even I treat rumors about the NSA seccretly breaking low level schemes the same way I treat rumors about UFOs.