Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Wednesday, 8 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

RC4 flaws in SSL could allow for major data compromise

by The Gurus
March 26, 2015
in Editor's News
Share on FacebookShare on Twitter

The RC4 protocol remains a troublesome part of the SSL, and weaknesses allow for a new Man-in-the-Middle attack vector.
According to the new Hacker Intelligence Initiative Report from Imperva, titled “Attacking SSL when using RC4”, an attack which targets the very basic encryption which is used by SSL/TLS, as well as independently of SSL/TLS, can break supposedly sensitive communications. Around 30 per cent of SSL connections use RC4, despite the cipher being designed more than a quarter of a century ago.
New attack methods are more “stable” than previously published attacks on SSL, Imperva found, and it works in more scenarios. It said that on every attempt, the attacker has some chance to succeed in stealing data from a target as every single time someone uses SSL with RC4 to protect their data, that person has a small but non-negligible chance to have his data compromised.
In the new weakness, named “Invariance”, Imperva said that as RC4 encryption keys are generated for upstream and downstream communication, where the upstream key is used for encryption of client-to-server communication and the downstream key for encryption of server-to-client communication, the Invariance Weakness is expressed only in the first 100 bytes of the keystream.
If an attacker can “sniff” a large number of SSL connections encrypted with RC4, and finds a weak key, the attacker predicts the LSBs of the keystream bytes and uses these to extract the LSBs of the plaintext bytes from the ciphertext with significant advantage.
“In order to fulfil this scenario, the attacker needs to determine which SSL sessions are the ones in which weak keys were used,” the report said. “For this isolation, the attacker can use the fact that the first encrypted bytes include the SSL ‘Finished’ message and HTTP request, both having predictable information. Thus, when a weak key is used, the plaintext patterns are XOR-ed with keystream patterns, generating ciphertext patterns visible to the attacker.”
In an email to IT Security Guru, Amichai Shulman, CTO of Imperva, said that exploiting the vulnerability when RC4 is being used for SSL/TLS is easier than in other usages. Asked why RC4 is still included as a legitimate ciphersuite, he said that even though it is known to be weak, it is probably there is no better or popular, streamcipher.
He said “Creating a new cipher is not easy. RC4 was believed to be strong for many years. The process of accepting a new standard cipher is long and tedious (see how long it took to standardise AES). I think that basically the community is leaning towards not using stream ciphers anymore and therefore once RC4 is officially retired I’m not sure a new stream cipher will emerge. “
Imperva encourages web administrators to disable RC4 in their SSL configuration; web users to disable RC4 in their browser SSL configuration; and browser providers to remove RC4 from their SSL cipher list.

FacebookTweetLinkedIn
Tags: EncryptionHTTPSSSL
ShareTweetShare
Previous Post

Lastminute Data Protection

Next Post

Certificate security – is anything real?

Recent News

Cato Networks delivers first CASB for instant visibility and control of cloud application data risk

Cato SASE Cloud Named “Leader” and “Outperformer” in GigaOm Radar Report for SD-WAN

February 7, 2023
AT&T Cybersecurity grows SASE offering by adding Palo Alto Networks

UK second most targeted nation behind America for Ransomware

February 7, 2023
safe

Will Emphasising App Security Lead to More App Installs?

February 6, 2023
Phone with app store open

$400,000 Fine for Stalkerware App Developer

February 6, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information