On Wed, 16 Apr 2014 18:10:15 +0800 Shawn <citypw@xxxxxxxxx> wrote: > I do believe Lucky-thirteen is far > more dangerous than heartbleed, we just don't know. I'd really like to hear some arguments to back that claim. Basically, Lucky13 is a protocol problem and thus the fix is a bit less obvious than for heartbleed. But appart from that: Lucky thirteen only poses a threat if you can capture insane amounts of the same data encrypted. I never saw any scenario where I thought this is really a practical threat. "Getting the private key and other random stuff from Server's memory" definitely is. I am all for fixing things like BEAST and Lucky13 and I hope we can soon all switch to either AES-GCM or AES-CBC with the hopefully soon released Encrypt-then-MAC extension. But we should keep perspectives: Heartbleed is a big problem, Lucky Thirteen is minor in comparison. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@xxxxxxxxx GPG: BBB51E42
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/