[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: the "crime" attack on TLS

From: Tim Ruehsen
Subject: Re: the "crime" attack on TLS
Date: Thu, 13 Sep 2012 13:49:34 +0200
User-agent: KMail/1.13.7 (Linux/3.2.0-3-amd64; KDE/4.8.4; x86_64; ; )

Am Thursday 13 September 2012 schrieb Nikos Mavrogiannopoulos:
> * How to mitigate the attack?
> 1. Do not enable compression (gnutls' doesn't enable it by default)
> 2. When using compression use the CBC ciphers that include a random
> padding up to 255 bytes. That would increase the number of trials an
> attacker needs to perform significantly.
> 3. Make sure that even if you must mix adversary-controlled data with
> sensitive data, that the adversary cannot trigger that multiple times.

Thank you for the information.

OpenSSL doesn't enable compression by default either.

Wget seems to be clean with GnuTLS and OpenSSL - compression is not enabled 
with GnuTLS nor with OpenSSL.

Regards, Tim

reply via email to

[Prev in Thread] Current Thread [Next in Thread]