"I am an applied cryptographer who discovered critical cryptographic vulnerabilities in the hpke-rs crate, including a nonce-reuse vulnerability enabling full AES-GCM plaintext recovery and forgery. Over the past month, I have made repeated good-faith attempts to publish RustSec advisories for these vulnerabilities."
"Kobeissi's entire handling of the situation never seemed to be in good faith or proportional to me. He's been attacking the Cryspen maintainers accusing them of 'burying' issues, for what in my opinion was unobjectionable behavior."
"Kobeissi took aim at Cryspen, a cryptographic software firm based in Paris, in a February 5 blog post, complaining that the company fixed the bug without any public disclosure, security advisory, or acknowledgment that their 'formally verified' library had shipped with a defect that caused silent cryptographic failures in production environments."
Nadim Kobeissi has been advocating for code fixes in Rust cryptography libraries since February, citing critical vulnerabilities. After being dismissed and banned from Rust security channels, he escalated his complaint to The Rust Foundation, alleging a Code of Conduct violation. Kobeissi highlighted a nonce-reuse vulnerability in the hpke-rs crate. However, some, including cryptographer Filippo Valsorda, criticized Kobeissi's approach as lacking good faith. Valsorda's own bug report initiated the controversy, and he defended the maintainers' actions regarding the issues raised.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]