Topic: Built in protection from session ID attacks.
2009-12-02 10:02:38 UTC
Does this http://www.mozilla.org/projects/securit … y-cbc.html or this http://cve.mitre.org/cgi-bin/cvename.cg … -2003-0078 apply to wolfSSL embedded SSL?
2009-12-03 00:37:41 UTC
The first attack isn't possible with wolfSSL since a general fatal alert is sent in this case instead of a more specific error that could potentially leak timing information. The second one doesn't affect wolfSSL since a MAC computation is done independent of padding errors, preventing the timing attack entirely.
2009-12-03 09:56:23 UTC
Great! Thanks, Todd!