SSL crack in the news

Very little real information...

Mark Radabaugh
(419) 720-3635

more here:

Lucy E. Lynch Academic User Services
Computing Center University of Oregon (541) 346-1774/Cell: 912-7998

Sounds like a CNN-digested version of CAN-2003-0078, which is a (relatively
minor) bug in OpenSSL which allows for a timing attack.

*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
     via timing by performing a MAC computation even if incorrrect
     block cipher padding has been found. This is a countermeasure
     against active attacks where the attacker has to distinguish
     between bad padding and a MAC verification error. (CAN-2003-0078)

     [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
     Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
     Martin Vuagnoux (EPFL, Ilion)]

NEW YORK (Reuters) -- Researchers at a Swiss university have cracked the
technology used to keep people from eavesdropping on e-mail sent over the


"Mark Radabaugh" <> writes:

Very little real information...

Here's the writeup I sent to the cryptography mailing list.