

'Severe' OpenSSL vuln busts public key crypto - bensummers
http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/

======
noonespecial
So you need physical access to the server/device, specialized power supply
equipment, and then 104 hours on an 81-machine cluster of 2.4 GHz Pentium-4's
to do the exploit. All of which can be solved by simply salting an error
checking algorithm with a little randomness.

Their definition of 'Severe' is severely lacking.

~~~
kylec
Well, SSL is based off of the concept of a web of trust, which means that if
you obtain a root SSL cert (like those held by Verisign, etc) you can perform
man-in-the-middle attacks on countless sites. So while the requirements for
successfully mounting the attack are very high, so are the potential rewards.

~~~
tptacek
SSL is based on trust anchors (PKI), not web of trust (web of trust is PGP).

------
teilo
I'm getting sick of these articles. Waiting for Brother Bruce to weigh in and
silence this alarmist nonsense.

~~~
tptacek
So what you're saying is that you already knew that OpenSSL had a glitching-
style side channel attack, and that you're waiting for someone who has never
assessed OpenSSL's code to shut down news stories about it?

~~~
teilo
No, what I'm saying is that this title is completely alarmist, because the
OpenSSL vulnerability that has been discovered is not vulnerable to attack
past the data center from which it originates. The phrase "busts public key
crypto" is completely misleading.

~~~
tptacek
It busts public key crypto --- in one of its most popular implementations in
both closed and open products, using a class of attacks which has devastated
many other implementations --- in settings where power is under the control of
attackers, which isn't even a remotely uncommon situation. You think you're
debunking a story, but really what you're doing is making it sound like the
only exposure you have to cryptography comes from Schneier's blog.

