Michael.Dillon@radianz.com writes:
This is a new attack, not the one Schneier was talking about. It's very elegant work -- they actually implemented an attack that can recover the long-term private key. The only caveat is that their attack currently works on LANs, not WANs, because they need more precise timing than is generally feasible over the Internet.
Hmmm... This means that it is safer for senior managers in a company to communicate using private ADSL Internet connections to their desktops rather than using a corporate LAN. Afraid not. The timing attack is an attack on the SSL server. So as long as the SSL server is accessible at all, the attack can be mounted. And once the private key is recovered, then you no longer need LAN access.
-Ekr -- [Eric Rescorla ekr@rtfm.com] http://www.rtfm.com/