On Thu, Aug 07, 2008 at 09:59:41AM +0100, Richard van der Hoff wrote:
> Paolo Abeni wrote:
> >> 2) Change the code to only identify the weak keys, but not use it
> >> to decrypt the SSL traffic (would this also be CPU intensive?)
> >
> > Yes. It will take near exactly the same amount of time and computation
> > since, in current code, the larger amount of time is spent looping on
> > candidate weak keys.
>
> Right. I'd been labouring under the misunderstanding that you could
> identify whether a key was weak without having to brute force it. Having
> looked at Paolo's patch a bit more, I now see that isn't true.
Same here...
> This certainly shouldn't be enabled by default - I don't want my
> wireshark to spend ages attempting to brute-force keys every time I
> happen to pick up a bit of SSL traffic.
As Wireshark is a "Network Protocol Analyzer" and not a "Vulnerability
Scanning Tool", I would prefer not to waste cycles on identifying
weak ciphers either...
> You could leave the code in there, and have an 'identify weak keys' menu
> option.
>
> But at present I'm changing my vote to 1) Don't include the code at all.
All considering, I vote for 1) as well.
Cheers,
Sake