alleged attack on TLS

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Wed Sep 21 10:19:40 CEST 2011


There is hype on an alleged attack on the TLS protocol. The authors of
the alleged attack took an irresponsible stance by talking to media
about an alleged attack without providing any details. I'm not
providing any links to them because I don't want to encourage this
behavior by providing more publicity. From information gathered here
and there it seems the attack is a variation or an implementation of
the Bard attack [0]. If you are using GnuTLS and want to prevent such
attacks you can do the following:
* Make sure that TLS 1.1 or TLS 1.2 are not disabled (gnutls enables
them by default, but because of compatibility issues with broken peers
they are often disabled)

This will ensure that if the peer supports those protocols the attack
will not be applicable. If the peer does not support them you'll be
vulnerable to Bard-type of attacks. If this is a problem for you then:
* Disable SSL 3.0 and TLS 1.0

Datagram TLS 1.0 is not vulnerable to this attack.

regards,
Nikos

[0]. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.61.5887&rep=rep1&type=pdf




More information about the Gnutls-devel mailing list