Security boffin Itsik Mantin has found a new attack based on old weaknesses that is the first 'practical' attack on SSL that does not require man-in-the-middle to steal sensitive data from RC4 algorithms.
The Imperva bod's research reveals a 13 year-old weakness in the superseded algorithm, which is known to be insecure but is still supported by most browsers.
In a paper Attacking SSL when using RC4 (pdf) written for a presentation given at Black Hat Asia yesterday Mantin describes how attackers can passively sniff SSL connections to pinch data.
"We show how this vulnerability can be used to mount several partial plaintext recovery attacks on SSL-protected data when RC4 is the cipher of choice, recovering part of secrets such as session cookies, passwords, and credit card numbers," Mantin says.
"As opposed to BEAST, POODLE, CRIME, and other attacks on SSL that were published in the recent years, including the attack by Bernstein et-al on the usage of RC4, the new attack is not limited to recovery of temporal session tokens, but can be used to steal parts of permanent secret data such as account credentials when delivered as POST parameters.
"Furthermore, one of the variants of the new attack requires only passive eavesdropping to SSL connections, and presents the first practical attack on SSL that does not require active man-in-the-middle."
Mantin told Dark Reading his so-called Bar Mitzvah attack could work on a third of TLS sessions that still support RC4 for performance reasons.
He says attackers with a sniffer in hand could steal parts of random key stored in plain text from vulnerable encrypted sessions prior to a message encrypted
Admins should disable RC4 while waiting for a "broad-brush retirement of RC4", Mantin says.
- Web application administrators should strongly consider disabling RC4 in their applications’ TLS configurations.
- Web users (particularly power users) are encouraged to disable RC4 in their browser’s TLS configuration.
- Browser providers would do well to consider removing RC4 from their TLS cipher lists.
- Organisations leveraging Imperva SecureSphere to protect their business-critical web applications and data, and wherein SecureSphere is set to handle TLS connections on behalf of the applications, can configure SecureSphere to stop using the weak ciphers and work only with robust ciphers