International Cyber Expo International Cyber Expo
  • About Us
Sunday, 19 July, 2026
IT Security Guru
International Cyber Expo
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

IBM blocks attack in SSL/TLS – The Bar Mitzvah attack

by The Gurus
April 27, 2015
in Opinions & Analysis
Share on FacebookShare on Twitter

IBM recently issued a security bulletin for a newly discovered security vulnerability – a weak cryptography algorithm in the SSL/TLS protocol stack–that could allow hackers to steal data. That vulnerability was discovered by Itsik Mantin, director security research at Imperva.
The Bar Mitzvah attack uses “a 13-year-old vulnerability of RC4 that is based on huge classes of RC4 weak keys.” Mantin demonstrates how the vulnerability “can be used to mount several partial plaintext recovery attacks on SSL-protected data when RC4 is the cipher of choice, recovering part of secrets such as session cookies, passwords, and credit card numbers.”
Despite the well-known problems with the RC4 cipher, it is still used to protect 30 percent of SSL traffic, Mantin says, “likely amounting to billions of TLS connections every day.” (TLS refers to a more advanced version of Secure Sockets Layer encryption, and is essentially a new name for SSL.) It is clear that it’s time to stop using RC4.
That’s exactly what IBM recommends doing in its security bulletin on the matter. Instead of issuing a patch or a PTF that removes RC4 from the various SSL/TLS implementations on IBM i, IBM’s workaround recommends disabling RC4.
Mantin adds “As known for quite many years, RC4 is a weak encryption algorithms and the fact that it is still used in situations where there are safer alternatives (in TLS for example), is quite surprising.
Several researches in the recent years, the Bar-Mitzvah attack being the most recent one, had bridged the gap between cipher vulnerabilities and actual attacks on actual usages of RC4, and to the understanding in the industry that using RC4 in TLS exposes the protected data to leakage in several scenarios.
IBM follows other companies (Microsoft, Imperva and others) and standardization bodies (IETF issuing RFC 7465) in taking action to remove RC4 from the permissible ciphers list in TLS connections.”

Tags: Bar Mitzvah attackCyber SecuritycybersecurityEncryptionHeartbleedIBMImpervainformation securityMicrosoftRC4SSLTLSVulnerability
ShareTweet
Previous Post

Over half of outsourcing budgets are being spent on reducing IT costs, not business benefits

Next Post

SendGrid email service hacked, used to steal credentials

Recent News

CISOs say boardrooms still don’t grasp the human cyber risk AI is supercharging

CISOs say boardrooms still don’t grasp the human cyber risk AI is supercharging

July 17, 2026
AI Appreciation Day: Security Leaders Say the Celebration Needs an Asterisk

AI Appreciation Day: Security Leaders Say the Celebration Needs an Asterisk

July 16, 2026
Q&A: Businesses Are Running Out of Time to Prepare for the Quantum Threat, Warns Moona Ederveen-Schneider

Q&A: Businesses Are Running Out of Time to Prepare for the Quantum Threat, Warns Moona Ederveen-Schneider

July 15, 2026
Proton Launches Business Continuity Service to Keep Firms Communicating Through Outages

Proton Launches Business Continuity Service to Keep Firms Communicating Through Outages

July 15, 2026

Eskenzi PR banner ad

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol