But http://eprint.iacr.org/2006/136 sure looks like a real attack to me. OpenSSL had released mitigations for it in the past but had to turn them off for compatibility reasons.
Duong and Rizzo claim to be able to work out the session cookie in a few minutes from a network level MitM and they have come through on their promises before.
Duong and Rizzo claim to be able to work out the session cookie in a few minutes from a network level MitM and they have come through on their promises before.
How does this add up to nothing being 'broken'?