On Mon, Aug 12, 2013 at 11:01:09AM -0400, Greg Freemyer wrote:
On Mon, Aug 12, 2013 at 10:36 AM, Marcus Meissner <meissner@suse.de> wrote:
Can software running with normal user privileges observe their own packets in that much detail, or does this attack require root access on the victim computer?
No.
As far as understand this still needs to happen in the same TLS session somehow, and so the attack will guess a token that a malicious other site would need to send to do stuff.
The compressed reply size would need to be observed somehow, which a browser session would not be able to.
If your right about it having to be the same TLS session, then the malware would need to monitor browser sessions until it sees a TLS session initiated. Then start a background crypto attack from within the same TLS session, then magically monitor the TCP/IP stack to see the compressed packet sizes to allow the crypto attack to proceed.
Once successful it could observe / decode future traffic on the TLS session but not that which had already happened?
Actually it could capture data transmitted within the session. It would not be able decrypt the session itself. But yes, so far its mostly a lab setting or for an attacker able to hook into network infrastructure like the NSA.
As to your comment about a keylogger, are the known Java vulnerabilities such that the attacker can monitor keyboard activity. If so, I see why that would be a far more significant vulnerability that this new one.
Ciao, marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org