> Certainly it's not the case that anything is 'broken'.
Since others have found the links to the prior papers I don't have to worry about revealing anything by suggesting that there's prior work.
What I was trying to hint at (badly) while still giving the authors their presentation, is that there's a long history behind this. Any weaknesses in TLS 1.0 should be credited correctly (and I'm sure the authors will do so), but it makes me feel bad that it's getting lost in the coverage so far. There might be a neat demo on Friday (I don't know the details of that) but they didn't break anything themselves.
Note: I now have a draft of their paper but haven't read it yet.
I think it's open at this point that BEAST is substantially based on Bard 2004/2006. What's not clear is how much they've improved upon it. This is important for more than just assigning credit, it's important so we can decide how much resources to invest in reviewing the severity all over again.
* Rizzo and Duong have produced a working exploit. This is something Bard did not do. It's one thing to show something is possible and let the world forget about it soon after. It's another thing entirely to actually do it.
* Bard's papers, especially the first one, spends too much time talking about trojan browser plug-ins and Java applets. This minimizes the fundamental attack. Obviously a user who installs a browser plugin is pwned in far simpler ways than this.
* Rizzo and Duong have made some important improvements to the attack. It looks like Bard was heading in that direction in 2006 but did not get all the way. R&D are better at manipulating the underlying HTTP.
(Of course they need to go ahead and go public with the details already!)
Broken is when an attacker can decrypt your gmail without a fake cert. That's broken.
Are you saying that TLS 1.0 is not broken?
Sounds like instead you are saying that it's been broken for so long that this isn't breaking news. But "broken" as in "breaking news" is not at all how anyone parsing your initial post would grok it.
Since others have found the links to the prior papers I don't have to worry about revealing anything by suggesting that there's prior work.
What I was trying to hint at (badly) while still giving the authors their presentation, is that there's a long history behind this. Any weaknesses in TLS 1.0 should be credited correctly (and I'm sure the authors will do so), but it makes me feel bad that it's getting lost in the coverage so far. There might be a neat demo on Friday (I don't know the details of that) but they didn't break anything themselves.