I walk amongst giants!
agl Wed Dec 15 11:49:55 2010 -0500: ... // note that we still have a timing side-channel in the
agl Wed Dec 15 11:49:55 2010 -0500: // MAC check, below. An attacker can align the record
agl Wed Dec 15 11:49:55 2010 -0500: // so that a correct padding will cause one less hash
agl Wed Dec 15 11:49:55 2010 -0500: // block to be calculated. Then they can iteratively
agl Wed Dec 15 11:49:55 2010 -0500: // decrypt a record by breaking each byte. See
agl Wed Dec 15 11:49:55 2010 -0500: // "Password Interception in a SSL/TLS Channel", Brice
agl Wed Dec 15 11:49:55 2010 -0500: // Canvel et al.
agl Wed Dec 15 11:49:55 2010 -0500: //
robert Wed May 18 13:14:56 2011 -0400: // However, our behavior matches OpenSSL, so we leak
agl Wed Dec 15 11:49:55 2010 -0500: // only as much as they do.