http://www.cnn.com/2003/TECH/internet/02/21/email.encryption.reut/index.html
Very little real information...
Mark Radabaugh
Amplex
(419) 720-3635
more here:
http://lasecwww.epfl.ch/memo_ssl.shtml
Lucy E. Lynch Academic User Services
Computing Center University of Oregon
llynch@darkwing.uoregon.edu (541) 346-1774/Cell: 912-7998
Sounds like a CNN-digested version of CAN-2003-0078, which is a (relatively
minor) bug in OpenSSL which allows for a timing attack.
OpenSSL CHANGES file:
*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
via timing by performing a MAC computation even if incorrrect
block cipher padding has been found. This is a countermeasure
against active attacks where the attacker has to distinguish
between bad padding and a MAC verification error. (CAN-2003-0078)
[Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
Martin Vuagnoux (EPFL, Ilion)]
CNN:
NEW YORK (Reuters) -- Researchers at a Swiss university have cracked the
technology used to keep people from eavesdropping on e-mail sent over the
Web...
Typical.
"Mark Radabaugh" <mark@amplex.net> writes:
http://www.cnn.com/2003/TECH/internet/02/21/email.encryption.reut/index.html
Very little real information...
Here's the writeup I sent to the cryptography mailing list.