Weblog

Thanks for update, just edit your blog post version it's not 9.6 .

Thanks Hugo. I believe you should be using "9.7" instead of "9.6" on the first line

Hey there, new Debian builds are up: http://files.tuxhelp.org/hiawatha/

apt.sparkz.no should be synced shortly.

Thanks for the new release, Hugo.

Thanks again for this great software Hugo

Not looking to throw any sand into the picknick but have PolarSSL been validated against http://www.cs.tau.ac.il/~tromer/handsoff/

Don't know. You better ask the PolarSSL developer.

All works fine, thank you Hugo.

@J. Lambrecht,
tell us, what is the result of your investigation?
But one is sure, when anybody has physically access to your host, you have more than one problem.^^

@J. Lambrecht, I was going to say the same as @Heiko. We used to say years ago, "physical access is root access" -- it's just a matter of time. It seems to me this particular attack would be much more effective against the client, in any case since, your typical server is locked up somewhere secure, like an IDC, and typical shares the power buss with a bunch of other servers. Too hard to pinpoint from outside the facility. If you target the user, it'd be more useful to evaluate the user's end of the tunnel, since many browser uses many different methods to provide TLS.

I cannot comment by other than saying physical access does not mean root access in a DC, unless one can execute a handsoff attack. Even then so, variables apply. I'm quite confident this type of attack could most likely be engineered to work remotely as well, though a line-of-sight would most likely be necessary.

I did mention that this shouldn't be true in an IDC (Internet Datacenter):

But if you can get physical access, there's a good chance you can get more privileges than the admin intended. What I was trying to say is that there are easier ways to gather sensitive information than a physical side-band attack.