

On the (provable) security of TLS: Part 1 - cperciva
http://blog.cryptographyengineering.com/2012/09/on-provable-security-of-tls-part-1.htm

======
jcr
Matthew Green has remarkably bad timing... The crypto might be provable, but
the implementation is another story:

[https://threatpost.com/en_us/blogs/new-attack-uses-ssltls-
in...](https://threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-
leak-hijack-https-sessions-090512)

And no, I've found no other details about the new attack, but if anyone knows
anything, particularly mitigation methods, please post them.

~~~
tptacek
I'm not sure what the point you're making here is. Matthew is very
deliberately talking about formal proofs of the protocol; Juliano and Thai are
talking about implementation flaws.

~~~
jcr
It was the "provable security" phrase that just seemed out of place in light
of recent (but still undisclosed) events. But at least I did differentiate
between the flaws in the implementation and flaws in the underlying crypto...
or at least I tried.

~~~
marshray
The thing to remember is that "proven secure" doesn't mean that any real
existing protocol specifications or implementations are actually secure! It
means that some cryptographers used some (huge) set of simplifications and
assumptions to define a model in which some aspect of the protocol has been
proven to resist specific known attacks. Crypto papers assume their audience
knows exactly what these assumptions are by reference to one of the standard
proof models.

I think Matthew is doing something really good here by trying to bridge the
gap between the proofs and the messy reality.

~~~
daeken
Good example: one-time pads are proven secure, but if I write an application
that swaps OTPs before beginning encrypted communication with those pads, bad
things will happen.

------
cperciva
Matthew talks about a lot of the same concerns I have with SSL/TLS here, far
more eloquently than I ever have.

~~~
planckscnst
The link is slightly wrong: it's missing the l at the end.

~~~
riffraff
clicky [http://blog.cryptographyengineering.com/2012/09/on-
provable-...](http://blog.cryptographyengineering.com/2012/09/on-provable-
security-of-tls-part-1.html)

------
anologwintermut
working link [http://blog.cryptographyengineering.com/2012/09/on-
provable-...](http://blog.cryptographyengineering.com/2012/09/on-provable-
security-of-tls-part-1.html)

------
DeepDuh
The link is dead. Bummer, I'd like to read that article.

