Although sensationalist title, always good to remember that attacks only get better - some angle might show up that changes this to be practical in some special circumstance. The takeaway here is to plan moving away from RC4 and there is still time to do this in orderly fashion
Virtually all server side hardware can do AES-NI instructions in hardware now (unless you are using ATOM cpu for ssl connections?) and most non-mobile hardware clients can do AESNI too for AES-128
The problem with AES isn't performance. Sites have been using AES ciphersuites in TLS for many years.
The problem is that the widely-deployed AES ciphersuite, like the ciphersuites for triple DES and IDEA, uses a construction from the '90s that is itself insecure. It's based on CBC mode (which is fine) in a MAC-then-encrypt configuration (which is not), which lead to the Lucky 13 attack, and which until TLS 1.1 didn't properly set up the IVs for each record, which lead to BEAST.
No major site used RC4 because it was more performant. They used it as a workaround to Lucky 13 and BEAST, because they couldn't count on browsers fixing those problems fast enough.
So as a sort-of-amusing counterpoint to this article, I know at least one ASV who insists that the only way to mitigate BEAST is to disable all ciphers but RC4. Still scratching my head on that one.
That tool you posted is great, hugely helpful for anyone who has to deal with this stuff.
Yes, I know, but it seems a little bit misguided / misleading, particularly since the BEAST in particular was pretty much mitigated in most browsers (see the link I posted + other links I posted below).
(The idea behind the config above is to propose TLS 1.2 ciphersuites, which aren't susceptible to BEAST, and leave RC4 as a fallback for older TLS implementations. But TLS 1.2 support in browsers is still problematic.)
Also, ECDHE-RSA-AES128-SHA256 is still decrypt-then-verify CBC mode, isn't it? GCM should be listed first.
A lot of sites are on hardware that's older than two years old (AES-NI didn't show up till Westmere), or an OS that's more than two years old (Ubuntu Lucid, for example, ships with OpenSSL 0.9.8).
I would love it if Atom gets AES-NI as most consumer/smb NAS devices us that CPU and it would mean that we could finally have essentially wire speed encryption for those devices.
(disclaimer: I'm the one who posted both the questions on security stackexchange and HN posts. I'm not trying to be a karma whore, just hoping to get some discussion going on around those... both went under the radar)
The first article ignores the decrypt-then-verify timing leak in the TLS CBC modes ("Lucky 13") when it suggests you might just switch back to AES-CBC because BEAST is hard to exploit.
The second article is based on the assumption that you can reliably pad the headers between the request and the cookie in a browser on every vector an attacker has to coerce a browser into making connections. People seem to be thinking about serverside fixes; this is a clientside problem.
would be interesting if you can share those thoughts on security stackexchange. Guys like Thomas Pornin seem very knowledgeable and I'd be curious to hear his take on this.
Does not seem like a big deal to me; because it's unlikely to work outside a lab environment, nor passed the first 256 bytes (without a truly massive amount of connections at least).
And all that work for what - to sniff out your own cookie?
I mean, what is this good for, it's not a man-in-the-middle attack, it's not a spoofing attack, etc?
*Though it's really good work on the researchers part, and the author of the article explained it all in an excellent way.
No, I think you've misunderstood this attack at multiple points. The attack gives the researchers the ability to use any HTML page on the Internet to trick your browser into launching an attack on your Paypal cookie. Once they have that cookie, they don't care about MITM attacks; they'll just impersonate you.
The attack is very time-consuming, though, so you're right that it's not a particularly urgent real-world threat at the moment.
It does apply to those protocols, except that it's much harder to coerce a victim into making hundreds of millions of connections to an IMAP server.
On the other hand, those questions are based on the logic that only the first few bytes of the connection are exposed to the attack. That turns out not to be true. There are biases hundreds of bytes into the keystream. The earlier biases seem to be easier to detect, which might make an attack somewhat faster against a protocol where the secret was exchanged earlier than HTTPS.
But doesn't this attack only reveal the second byte of the RC4 cipher? If I got it right it is some kind of frequency analysis that doesn't reveal the entire key (cipher), or at least with high probability (higher than 1)..
