Hi,
On Wed, 17 Jan 2018 12:36:42 +0000
"Khandelwal, Kushal" <
Kushal_K...@bmc.com> wrote:
> Summary : TLS implementations may disclose side channel information
> via discrepencies between valid and invalid PKCS#1 padding
>
> Link to vulnerability details:
>
https://www.kb.cert.org/vuls/id/144389
>
> Is Mozilla code affected with this vulnerability?
I'm the discoverer of this attack.
This is not straightforward to answer. ROBOT is a re-discovery of
so-called Bleichenbacher attacks. We only focussed on non-timing
variations of this vuln. NSS is not vulnerable to that.
However Bleichenbacher attacks are also possible with timing - and NSS
is vulnerable and this has been known for a long time, here's the bug
report:
https://bugzilla.mozilla.org/show_bug.cgi?id=577498
This is relatively complicated to exploit over a real network. Also I
should note that there's a related timing issue due to variable sized
bignums that affects practically every TLS implementation out there.
This all boils down to RSA encryption in PKCS #1 v1.5 being incredibly
fragile. Our recommendation when we disclosed ROBOT was to just turn
that off and always rely on forward secrecy-enabled ciphers.
--
Hanno Böck
https://hboeck.de/
mail/jabber:
ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42