I wish there was an easy way to log what version of SSL/TLS client used and with what ciphers for all mainstream web servers. Then you could just run a script on it and see how many would break. Could be useful for other things too.
You would probably break your site for a lot of your users.
> The newest stable Fx and Chrome, including mobile, will still work, right?
I think so.
> What about various web services like rss readers
They should be fine.. unsure. I presume most web services use openssl.. and thanks to heartbleed they should be using latest openssl libraries.
> or the google bot
I doubt googlebot would have issues scraping you, but I dont think google would rank you well if they knew your site would be broken for significant chunk of users.
My guess is CURL-based bots will fail (CURL had some problems with TLS 1.2-only auth), custom-written bots may too depending on architecture and (maybe) used openssl lib vesion. For browsers support see http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_br...
Really great explanation, as I asked there I don't see how it can be used if we don't know how long the padding is.
One idea would be to try to change the ciphertext so it would produce a entire padding block (and then it would be easy to test if it is indeed an entire block of padding just be tampering it without modifying the last byte and it would still be accepted).
One of the requirements for the attack is partial plaintext control. This is feasible if you're running malicious JavaScript in the user's browser.
So what you do is generate an HTTP request that, taken together with the SSL MAC, will align on a block boundary. Then you're guaranteed to have one full block of padding.
It might sound difficult to pull this off with multiple unknowns (other cookies, user agent string, etc.), but in practice it would be easy. You could make sure things line up correctly just by incrementing your packet length by one byte at a time until you see the record size jump by a block.
The latest stable Fx and Chrome, including mobile, will still work, right? What about various web services like rss readers or the google bot?