[openssl-users] request for TLBleed information / non-constant-time vulnerabilities
Michael R. Hines
mrhines at digitalocean.com
Thu Jul 26 20:48:34 UTC 2018
Good afternoon,
Our team is trying to get an accurate understanding of whether or not
cryptographic libraries are vulnerable to the kind of non-constant-time
attack used by exploits such as the one recently documented here:
https://www.vusec.net/wp-content/uploads/2018/07/tlbleed-author-preprint.pdf
Unfortunately, Intel has not provided much guidance in this area but has
indicated that software mitigation can and should be implemented by
libraries like OpenSSL. We're also not currently aware of any open CVEs
or embargos active for this particular side-channel attack.
Any help or guidance would be appreciated.
Can the openssl community comment on this?
Thanks!
--
/*
* Michael R. Hines
* Staff Engineer, DigitalOcean.
*/
More information about the openssl-users
mailing list