[paulmillr]

It's fair to say that this is still a theoretical attack. As authors of this paper mentioned, they don't see a way of turning the "flaw" into a real exploit.

[tptacek]

It's not a theoretical attack.

https://news.ycombinator.com/item?id=10713064

[illumen]

The article says:

"We stress that this is a theoretical attack on the definition of security and we do not see any way of turning the attack into a full plaintext-recovery attack."

... which appears wrong, and even published after the other paper?

[detaro]

And the article linked by tptacek (by the same authors) builds on this and shows practical attacks.

[sdevlin]

Theoretical attacks have a way of turning into weaponized exploits.

For example, check out https://www.openssl.org/~bodo/tls-cbc.txt. This is a document published by Bodo Moeller in the early 2000s that details multiple theoretical weaknesses in the CBC mode used in TLS. Read it top to bottom and see how many practical attacks on TLS you can count.

[tptacek]

This one was turned into a further-weaponized attack, published in the author's masters thesis, which is in the bibliography for the paper.

I don't know why this paper was published independently, as it's a building block for the other attack.

[psycocrypt]

What other attack?

[detaro]

https://news.ycombinator.com/item?id=10713064

[dnlrn]

Well, a theoretical attack is worse than no theoretical attack. Especially if there are perfectly fine protocols available that are IND-CCA2 secure.