You may remember a few months ago that a timing attack against the elliptic
curve cryptography implementation in OpenSSL was announced:
http://eprint.iacr.org/2011/232
http://it.slashdot.org/story/11/05/27/1956231/openssl-timing-attack-can-intercept-private-keys
The same attack applies to NSS. A while back I submitted a bug and patch for
NSS, but it has been languishing in Bugzilla without any attention. While the
use of ECC in deployed TLS environments is quite low, it's still probably a
good idea to get the code patched. Perhaps someone will take a look at this
forlorn bug and patch?
https://bugzilla.mozilla.org/show_bug.cgi?id=660394
Douglas
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
