On Mon, Aug 12, 2013 at 10:36 AM, Marcus Meissner <meissner@suse.de> wrote:
Can software running with normal user privileges observe their own packets in that much detail, or does this attack require root access on the victim computer?
No.
As far as understand this still needs to happen in the same TLS session somehow, and so the attack will guess a token that a malicious other site would need to send to do stuff.
The compressed reply size would need to be observed somehow, which a browser session would not be able to.
If your right about it having to be the same TLS session, then the malware would need to monitor browser sessions until it sees a TLS session initiated. Then start a background crypto attack from within the same TLS session, then magically monitor the TCP/IP stack to see the compressed packet sizes to allow the crypto attack to proceed. Once successful it could observe / decode future traffic on the TLS session but not that which had already happened? As to your comment about a keylogger, are the known Java vulnerabilities such that the attacker can monitor keyboard activity. If so, I see why that would be a far more significant vulnerability that this new one. Thanks Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org