Thai Duong and Juliano Rizzo today demoed an attack against TLS 1.0s use of cipher block chaining CBC in a browser environment. The authors contacted browser vendors several months ago about this and so, in order not to preempt their demo, I havent discussed any details until now.
Contrary to several press reports, Duong and Rizzo have not found, nor do they claim, any new flaws in TLS. They have shown a concrete proof of concept for a flaw in CBC that, sadly, has a long history. Early reports of the problem date back nearly ten years ago and Bard published two papers detailing the problem.
Leave a Reply