Cryptographic Vulnerabilities
The cluster centers on discussions of specific cryptographic attacks and vulnerabilities, such as DUHK, DROWN, padding oracles, and SHA collisions, with debates on their practicality, novelty, historical context, and whether they stem from protocols or implementations.
Activity Over Time
Top Contributors
Keywords
Sample Comments
Matthew Green also wrote a blog post about this https://blog.cryptographyengineering.com/2017/10/23/attack-o...
Doesn't the key compromise make it even less of a protocol hack?
"could", theoretically. In practice, there has never been an observed exploitation of the supposed vulnerability.mitigations=off
Can anyone else prove this security vulnerability actually existed?
Probably related to this https://shattered.io/
How was it demonstrated not to be secure?
Everyone who reads HN is smart enough to simply read the primary source for this:http://lists.openid.net/pipermail/openid-security/2010-July/...Follow the thread. Nate is Root Labs, Taylor works for him. This is the same vulnerability as Nate found in Google Keyczar last year, and that Coda Hale found in Rails several months ago.Until people start handling crypto flaws the same way we ha
Does this attack affect the security of RSA-based SSH keys, or is it TLS-only?
This is exploitable now. Padding oracles have been found before, and are even homework assignments of the Coursera cryptography course. The specifics of this bug make it a little bit harder but the paper explains how to work around this. Expect this bug to be exploited in the wild since minutes after (or perhaps already before) the release.
More or less, yes. This is a known minor weakness in the protocol. See https://arxiv.org/abs/1311.0243