"Perry E. Metzger" <pe...@piermont.com> writes: >Greg Rose <g...@qualcomm.com> writes: >> It already wasn't theoretical... if you know what I mean. The writing >> has been on the wall since Wang's attacks four years ago. > >Sure, but this should light a fire under people for things like TLS 1.2.
Why? Seriously, what threat does this pose to TLS 1.1 (which uses HMAC-SHA1 and SHA-1/MD5 dual hashes)? Do you think the phishers will even notice this as they sort their multi-gigabyte databases of stolen credentials? The problem with TLS 1.2 is that it completely breaks backwards compatibility with existing versions, it's an even bigger break than the SSL -> TLS changeover was. If you want something to incentivise vendors to break compatibility with the entire deployed infrastructure of TLS devices, the attack had better be something pretty close to O( 1 ), preferably with deployed malware already exploiting it. Ten years ago you may have been able to do this sort of thing because it was cool and the geeks were in charge, but today with a deployed base of several billion devices (computers, cellphones, routers, printers, you name it) the economists are in charge, not the cryptographers, and if you do the sums TLS 1.2 doesn't make business sense. It may be geeky-cool to make the change, but geeky-cool isn't going to persuade (say) Linksys to implement TLS 1.2 on their home routers. (I can't believe I just said that :-). Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
