Share this page!

Matthew Green Profile picture
Twitter logo
9 Sep, 5 tweets, 1 min read
Cool new attack on static (non-EC) Diffie-Hellman in OpenSSL. Takes advantage of a timing vulnerability on the server side to extract the connection pre-master secret. Crypto implementations are hard. raccoon-attack.com
This is such an insane attack. You literally get a tiny timing oracle that tells you whether the DH secret begins with a zero byte. And then you just repeat that experiment until you’ve got the whole key. We’re all doomed.
In practice this isn’t a terribly big deal. Static DH is rare and is going away in recent versions. This is further evidence that maybe it should go away faster.
Anyway, I want to add this to the pile of “real, in the wild exploitable timing channels” which, I note, still does not seem to include very many instances of people attacking deep into primitives like EC point mul or stream cipher encryption, where all the brains are focused.
In other words, the name of the game for real exploitable timing channels is “someone did a dumb thing with a protocol” not “they didn’t use my favorite elliptic curve” which is messy and unsatisfying and, it seems, vastly more important.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matthew Green

Matthew Green Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @matthew_d_green

Matthew Green Profile picture
11 Aug
I know it feels a little like kicking someone while they’re down, but I wish Mozilla had just focused on improving their browser product to compete with Chrome during that critical period when Chrome ate all their marketshare.
I mean if you make one product and the biggest company in the world comes at you with a direct competitor, you have to step up. Not try to make another competitor from scratch that competes with the big company’s other products.
Also, Mozilla had $450m revenue in 2018. I guess I’m just a professor and maybe that’s what a couple of SF apartments cost now, but: that seems like a very respectable budget to invest in making your browser better.
Read 7 tweets
Matthew Green Profile picture
8 Jul
Signal has gone from merely annoying me to create a PIN, to outright refusing to let me use the app if I don’t create one. 😠
Apparently 0000 is no good.
I really liked Signal. And it bums me out that I’m going to have to stop using it. @moxie, this was the wrong decision.
Read 10 tweets
Matthew Green Profile picture
25 Jun
You should really just read Riana’s piece on the new crypto bill. But there are two parts of it I specifically want to call out. 1/
First: to the tech people who thought they could bargain with William Barr and Lindsey Graham and get a reasonable bill that confined itself to encrypted phones without trying to grab messaging, phone calls for desert: you’re all useful idiots. 2/
Seriously. I really, really need to reiterate this. There is no grand bargain to be made with these folks that leads to a reasonable law enforcement access policy in which security is ever going to be more than an afterthought. None. Zero. 3/
Read 9 tweets
Matthew Green Profile picture
3 Jun
There seems to be some renewed interest in selecting phone passcodes that are difficult to crack. I don’t know why! But here’s a tweet from a while back that might help.
I guess for people who aren’t deeply technical and are just coming to this, it might be helpful to explain the reasoning behind selecting phone passcodes. So here’s a thread. 1/
Modern phones (iPhones and recent Androids) encrypt much of the data on your device. This is done using your phone passcode. I think most people know this part. 2/
Read 14 tweets
Matthew Green Profile picture
3 Jun
Obviously I don’t think you should have to pay for E2E encryption.
So let me follow this up with some more detail, if you can handle a thread. The thing that’s really concerning me is that there’s a strong push from the US and other governments to block the deployment of new E2E encryption. 1/
You can see this in William Barr’s “open letter to Facebook”. But this is part of an older trend. Law enforcement and intelligence agencies can’t get Congress to ban E2E, so they’re using all the non-legislative tools they have to try to stop it. 2/ justice.gov/opa/pr/attorne…
Read 16 tweets
Matthew Green Profile picture
30 Apr
A Federal judge has decided that he disagrees with @jhalderm on the technical details of an electronic voting machine in PA. Let’s see what’s going on. electionlawblog.org/wp-content/upl…
The device is weird in that it produces a voter verifiable paper audit trail, as required by PA. This is a card that looks like this:
What’s obvious is that the machine prints this card and allows the user to verify the human-readable votes. But that these are not what’s tallied. The machine tallies the barcodes, which aren’t human-readable.
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get email notifications when new thread is out from this Author!

Check out other threads from this Author!

Read all threads by @matthew_d_green