Early this week, a new OpenSSL error code padding oracle dropped. Padding oracles are one of the most fun crypto vulnerabilities, so I gave this one the full treatment:

I'm pretty happy about the writeup. It comes with hand drawn diagrams :)


Also read the writeup by Juraj Somorovsky, who found the vulnerability with his cool new Java TLS test framework.

We chatted a bit with Juraj about how to extend this attack to full-message decryption (instead of only 16 bytes), and we are both pretty convinced that there's no way now.

A surprisingly high number of high-profile websites hadn't patched yet 10 hours after the release.

The vulnerable code was introduced while fixing Lucky13 (not by Adam Langley's patch, but in a multi-purpose uncommented function with three levels of #ifdef), and as Kenny Paterson points out, they even warned about it in the L13 paper!