Posted on 03/26/2015 10:43:03 AM PDT by Citizen Zed
SSL/TLS encryption once again is being haunted by an outdated and weak feature long past its prime: a newly discovered attack exploits a weakness in the older, less secure RC4 encryption algorithm option in SSL/TLS that's still supported in many browsers and servers.
Itsik Mantin, director of security research with Imperva, at Black Hat Asia in Singapore today will detail how an attacker could sniff credentials and other information during an SSL session in an attack he named the "Bar Mitzvah Attack" after 13-year-old weaknesses in the algorithm it abuses. The attack is a glaring reminder that the RC4 algorithm, long known to be breakable, should be put to rest once and for all, according to Mantin.
Bar Mitzvah exploits the weak keys used by RC4 and allows an attacker to recover plain text from the encrypted information, potentially exposing account credentials, credit card data, or other sensitive information. And unlike previous SSL hacks, this one doesn't require an active man-in-the-middle session, just passive sniffing or eavesdropping on SSL/TLS-encrypted connections, Mantin says.
(Excerpt) Read more at darkreading.com ...
Browsers and other apps ought to let you completely disable these older cyphers. If anyone is still using RC4 handshakes, I don’t want anything to do with them.
I haven’t supported ARC4 in years....the weakest cipher I even bother with is Triple-DES...168 bits of security, 112 bits of actual entropy. (All three keys are independent of each other)
I use AES whenever possible...
The main reason that these old protocols are still in use at all is to support the people still using ancient browsers like IE6.
Reason enough to finally break support for these old browsers for any SSL communications. IE6 has been a hack and bane to the internet for long enough.
Yes! Especially given the fact that the vast majority of remaining IE6 users are in China using illicit copies of XP.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.