This is one reason why keeping around old assembly code can have a cost. :(
https://github.com/openssl/openssl/pull/5320
Andy and Tim: Still waiting for your response to my question in that PR …
--- Begin Message ---
OpenSSL bugs, TLSv1.3 latest, Cloud Crypto Logging and a free 14-day trial of
Cryptosense Analyzer!
Find and resolve crypto misuse vulnerabilities in your applications and
infrastructure.
View this email in your browser
Dear Rich,
In April's crypto bulletin:
Open SSL - Security-critical bug in PA-RISC Assembly code
Cloud Crypto Providers Comparison - Part 3
TLS v1.3 - Is 0-RTT Safe?
Get a Free 14-day trial of Cryptosense Analyzer!
PA-RISC OpenSSL Issue
On 27th March, an OpenSSL security advisory was issued describing an issue in
the PA-RISC assembly-language implementation of CRYPTO_memcmp. This function
compares two bitstrings in contant time to avoid timing leaks. The bug meant
that effectively only the least significant bit of every byte in the bitstring
was actually compared, making it substantially easier to e.g. fake an HMAC tag.
The assembly code can only be compiled on the HP-UX platform so relatively few
users are affected. However, there are a couple more issues in the advisory
so, as always, it's important to upgrade.
Cloud Crypto Providers Comparison - Part 3
At Cryptosense we've been taking a look at the crypto on offer from the big
three public cloud providers - Amazon (AWS KMS), Google (Cloud KMS) and
Microsoft (Azure Keyvault). In part three we covered logging and alerts on key
usage. You can still read parts one and two.
TLS v1.3 - is 0-RTT Secure?
The long awaited TLS v1.3 protocol includes a special zero round-trip or 0-RTT
mode that allows a client and server that have communicated before to restart
communication without a full handshake. This saves time but introduces a
possible security risk if the server is compromised. A widely-ready twitter
thread by Amazon's Colm MacCárthaigh (unrolled here) explains the issues
nicely. Briefly: security requires a certain amount of trust in the servers
that you talk to.
Get a Free Trial of Cryptosense Analyzer SaaS Edition
You can now get a free trial of our automated crypto audit software for
applications, Cryptosense Analyzer. Just hit the button below to start your
14-day evaluation, no credit card required. You can also come and see us in San
Francisco around RSAC 2018 April 17-19.
Cryptosense Analyzer Free Trial
The Cryptosense Team
Twitter
Cryptosense
LinkedIn
Copyright © 2018 Cryptosense, All rights reserved.
You're receiving this mail because you signed up at the Cryptosense website,
visited us at on the booth at RSA or met with us over the last year. The volume
of these mails will be maximum one per month. To unsubscribe, see the link
below.
Our mailing address is:
Cryptosense 40bis rue du Fbg Poissonnière
Paris 75010 France
Add us to your address book
unsubscribe from this list update subscription preferences
This email was sent to [email protected]
why did I get this? unsubscribe from this list update subscription
preferences
Cryptosense · 40bis rue du Fbg Poissonnière · Paris 75010 · France
--- End Message ---
_______________________________________________
openssl-project mailing list
[email protected]
https://mta.openssl.org/mailman/listinfo/openssl-project
