crypto/tls: ambiguous comment in cipher_suites.go #14474
Labels
Comments
FiloSottile
pushed a commit
to FiloSottile/go
that referenced
this issue
Oct 12, 2018
A comment existed referencing RC4 coming before AES because of it's vulnerability to the Lucky 13 attack. This clarifies that the Lucky 13 attack only effects AES-CBC, and not AES-GCM. Fixes golang#14474 Change-Id: Idcb07b5e0cdb0f9257cf75abea60129ba495b5f5 Reviewed-on: https://go-review.googlesource.com/19845 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
FiloSottile
pushed a commit
to FiloSottile/go
that referenced
this issue
Oct 12, 2018
A comment existed referencing RC4 coming before AES because of it's vulnerability to the Lucky 13 attack. This clarifies that the Lucky 13 attack only effects AES-CBC, and not AES-GCM. Fixes golang#14474 Change-Id: Idcb07b5e0cdb0f9257cf75abea60129ba495b5f5 Reviewed-on: https://go-review.googlesource.com/19845 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L77
This line says "RC4 comes before AES (because of the Lucky13 attack)" when it should be clarified that AES-GCM is safe and therefore preferred over RC4.
The text was updated successfully, but these errors were encountered: