Despite the obligatory logo and clever name, this week’s assault on crypto, the so-called DUHK attack (Don’t Use Hardcoded Keys), isn’t likely to be part of many threat models.
Though the attack can be used to passively decrypt VPN and encrypted browser traffic, it relies on a host of implementation errors in admittedly ancient security appliances to trigger a vulnerability known for two decades in a pseudorandom number generator.
Leave a reply
