Paolo Abeni wrote:
2) Change the code to only identify the weak keys, but not use it
to decrypt the SSL traffic (would this also be CPU intensive?)
Yes. It will take near exactly the same amount of time and computation
since, in current code, the larger amount of time is spent looping on
candidate weak keys.
Right. I'd been labouring under the misunderstanding that you could
identify whether a key was weak without having to brute force it. Having
looked at Paolo's patch a bit more, I now see that isn't true.
This certainly shouldn't be enabled by default - I don't want my
wireshark to spend ages attempting to brute-force keys every time I
happen to pick up a bit of SSL traffic.
You could leave the code in there, and have an 'identify weak keys' menu
option.
But at present I'm changing my vote to 1) Don't include the code at all.
Cheers
Richard
--
Richard van der Hoff <richardv@xxxxxxxxxxxxx>
Project Manager
Tel: +44 (0) 845 666 7778
http://www.mxtelecom.com