The tls timing tag covers discussions about timing-related vulnerabilities and race conditions in TLS and HTTP/2 implementations. Content includes analysis of CVE-2024-39936, a timing bug in Qt's HTTP/2 handling that can cause security-relevant decisions to be made before a TLS session is fully confirmed, potentially leaking data to the wrong endpoint. The tag focuses on the intersection of TLS handshake timing, HTTP/2 redirects, and TOCTOU (time-of-check time-of-use) issues in software libraries. Topics are relevant to developers and IT professionals working with secure network communications on Windows and other platforms.
-
Qt's HTTP/2 handling bug tracked as CVE-2024-39936 lets code make security-relevant decisions before a TLS session has been confirmed, creating a timing gap that can leak confidential data to the wrong endpoint when HTTP/2 and redirects are involved.
Background
In early July 2024 a...