Re: Terrapin

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

Mouse <mouse%Rodents-Montreal.ORG@localhost> writes:

>I've mentioned my own understanding of the reason on-list recently; search
>for "SandP" in your back mail, or the archives if need be. (Most briefly, my
>understanding is that it's to defeat an attack, but in my opinion there are
>better defenses.)

I saw that, but the link posted is 404 (or at least "MySQL error"), I assume
it's the Paterson et al paper from 2009?  I can see that, due the use of AES-
CTR in GCM, an attacker can make you see anything they want in the decrypted
packet rather than the CBC alternative where they just have to hope for the
best (with low probability), but if you've already closed that hole, or never
had it in the first place, I can't see what difference it'd make.  From the
code changes I had to make I'd say all the special-snowflake code added to
support EtM-OpenSSH is probably a much bigger issue in terms of attack
surface.

Peter.