Author christian.heimes
Recipients alex, christian.heimes, dstufft, giampaolo.rodola, janssen
Date 2016-08-24.13:43:47
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Another attack with a catchy name and logo. This time 3DES is showing its age. 3DES should be removed from the list of server ciphers in ssl._RESTRICTED_SERVER_CIPHERS. For client ciphers we can leave it in for now. An attack requires dynamic code execution of code from a malicious 3rd party and several hundred GB of traffic. It's relevant for browsers with JS but not for majority of Python applications. OpenSSL 1.1.0 will remove 3DES support by default anyway.

> As seen previously, the full attack should require 236.6 blocks (785 GB) to recover a two-block cookie, which should take 38 hours in our setting. Experimentally, we have recovered a two-block cookie from an HTTPS trace of only 610 GB, captured in 30.5 hours.
Date User Action Args
2016-08-24 13:43:48christian.heimessetrecipients: + christian.heimes, janssen, giampaolo.rodola, alex, dstufft
2016-08-24 13:43:48christian.heimessetmessageid: <>
2016-08-24 13:43:48christian.heimeslinkissue27850 messages
2016-08-24 13:43:47christian.heimescreate