As an added bonus, @trueskrillor, the lead author of the Terrapin paper (who still isn't active on Mastodon 🙁 ) is holding court in the comments forum. Now would be a good time to mosey on over and ask questions.
Conversation
Notices
-
Embed this notice
Dan Goodin (dangoodin@infosec.exchange)'s status on Thursday, 21-Dec-2023 03:37:44 JST 
Dan Goodin
-
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Thursday, 21-Dec-2023 03:37:44 JST 
翠星石
@dangoodin I'd just like to interject for a moment.
What you're referring to mastodon is in fact the fediverse, as Mastodon is only one of many free software programs that support the ActivityPub protocol.
Originally there was GNU Social, which used the OStatus protocol and Mastodon came much later. -
Embed this notice
Dan Goodin (dangoodin@infosec.exchange)'s status on Thursday, 21-Dec-2023 03:37:45 JST
Dan Goodin
It's hard to overstate the importance of SSH in securing home networks, massive cloud centers and everything in between. Now, researchers have devised a novel cryptographic attack that breaks integrity of this widely used protocol. Dubbed Terrapin, it's the first-ever practical attack of its kind, and one of the very few attacks against SSH at all. Terrapin exploits weaknesses in the specification of SSH when paired with widespread algorithms (ChaCha20-Poly1305 and CBC-EtM) to remove an arbitrary number of protected messages at the beginning of the secure channel, thus breaking integrity. In practice, the attack can be used to impede the negotiation of certain security-relevant protocol extensions. Moreover, Terrapin enables more advanced exploitation techniques when combined with particular implementation flaws, leading to a total loss of confidentiality and integrity in the worst case.
-
Embed this notice
All GNU social JP content and data are available under the