[gnutls-devel] Incorrect SSL heartbeat bounds checking (not exploitable)

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Apr 12 09:15:00 CEST 2014

On Sat, Apr 12, 2014 at 5:53 AM, Peter Dettman
<peter.dettman at bouncycastle.org> wrote:
> Hi Nikos,
> I noticed the git commit go thru yesterday and it appears correct to me
> (although the commit message names the wrong Peter!).

Sorry, copy-paste error. I've corrected it in the NEWS entry.

>> I remember that this was not the choice of the authors. That change was
>> forced by the IESG reviewers.
>> http://www.ietf.org/mail-archive/web/tls/current/msg08311.html
> Thankyou for the link; your comments on that thread do you credit. May I
> infer that you were somehat dubious of the reasoning at the time?

If I remember well I think my point was based on the fact that
requiring the data to be random you cannot verify if any of the
parties are leaking information (either willingly or not) to the peer.
The IESG's point was that using a fixed string would allow a known
plaintext attack on the cipher. There are of course arguments for both
points. Given the dual-ec issue, my suggestion looks better, but a
different vulnerability on the cipher could have made my suggestion


More information about the Gnutls-devel mailing list