Websites, mail servers, and other Transport Layer Security (TLS) dependent services that support Diffie-Hellman key exchange using ephemeral keys (DHE cipher suites) are at risk of the DHEat attack. Services using other cryptographic protocols can also be affected.
* Secure Shell (SSH) services support Diffie-Hellman key exchange methods.
* Internet Protocol Security (IPsec) services offer DH groups.
* OpenVPN servers support Diffie-Hellman key exchange in the control channel (DHE TLS ciphers).
I'm a bit confused what the attack is. Is it just that SSL handshakes are expensive for the server, while the client avoids the computational cost because it chooses a random public key instead of one for which it knows the private key?
And why doesn't this also apply to plain RSA and ECDHE_RSA suites, which need to compute an expensive RSA private key operation, which should be similarly expensive as DH?
DHE has already been considered weak, with ECDHE as the recommended replacement, for a long time now, so I suspect that most systems operated by people who take security seriously already won't be vulnerable to this.
Your post corroborates SUSE[0] claims that ECDHE is not vulnerable to this. Default golang TLS server looks like it's got it's head on straight for this.
Websites, mail servers, and other Transport Layer Security (TLS) dependent services that support Diffie-Hellman key exchange using ephemeral keys (DHE cipher suites) are at risk of the DHEat attack. Services using other cryptographic protocols can also be affected.
* Secure Shell (SSH) services support Diffie-Hellman key exchange methods. * Internet Protocol Security (IPsec) services offer DH groups. * OpenVPN servers support Diffie-Hellman key exchange in the control channel (DHE TLS ciphers).