New SSL Attack Exploits an Old Problem
A new attack could be the final straw for the RC4 encryption method, which is still used on many systems despite some publicized vulnerabilities and stern warnings from security experts. The Bar Mitzvah attack, announced at the Black Hat Asia conference last week, affects SSL connections that use RC4 for encryption. According to security expert Itsik Mantin, Bar Mitzvah is “… the first practical attack on SSL that does not require man-in-the-middle techniques to steal sensitive data ….”
The attack is actually based on a 13-year-old vulnerability that is “based on huge classes of RC4 weak keys ….” Previous attacks based on the Invariance Weakness vulnerability required active communication with the target system. The Bar Mitzvah attack is thought to be the first passive attack on RC4.
Web admins should disable RC4 on all web servers, and all users should disable RC4 from their browser’s SSL/TLS configuration. The recent IETF document RFC 7465 actually requires admins to disable RC4 for all TLS clients and servers.