RC4 in TLS is Broken: Now What?
https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what
RC4 has long been considered problematic, but until very recently there was no known way to exploit the weaknesses. After the BEAST attack was disclosed in 2011, we—grudgingly—started using RC4 in order to avoid the vulnerable CBC suites in TLS 1.0 and earlier. This caused the usage of RC4 to increase, and some say that it now accounts for about 50% of all TLS traffic.
Last week, a group of researchers (Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt)announced significant advancements in the attacks against RC4, unveiling new weaknesses as well as new methods to exploit them. Matthew Green has a great overview on his blog, and here are the slides from the talk where the new issues were announced.
At the moment, the attack is not yet practical because it requires access to millions and possibly billions of copies of the same data encrypted using different keys. A browser would have to make that many connections to a server to give the attacker enough data. A possible exploitation path is to somehow instrument the browser to make a large number of connections, while a man in the middle is observing and recording the traffic.
We are still safe at the moment, but there is a tremendous incentive for researchers to improve the attacks on RC4, which means that we need to act swiftly.
What We (SSL Labs) Will Do
- Start warning our users about RC4 weaknesses. RC4 is demonstrably broken and unsafe to use in TLS as currently implemented. The difficulty is that, for public web sites that need to support a wide user base, there is practically nothing 100% secure they can use to replace RC4. We now have no choice but to accept that, no matter what settings we use, some segment of the user base will be at risk.
- If Apple were to implement 1/n-1 record splitting in their stacks (the only major browser vendor that hasn’t done that yet*), we’d likely consider BEAST sufficiently mitigated client-side, and that would allow us to start recommending CBC suites over RC4. Update: Apple implemented BEAST mitigations in OS X Mavericks in October 2013. This means that BEAST can generally be considered mitigated. Fore information, read the follow-up blog post.
- Start recommending the use of GCM suites. Browsers will no doubt provide better support for TLS 1.2 and GCM suites at an accelerated schedule, and site operators should be ready to take advantage of that.
- Update SSL/TLS Deployment Best Practices with new information.
- At some point in the near future, update the rating algorithm to take the RC4 weaknesses into account.
Recommendations
SSL/TLS Library developers
- Harden the stack against the Lucky 13 attack.
- Support TLS 1.2 and GCM suites as soon as possible.
Browser vendors
- Support TLS 1.2 and GCM suites as soon as possible.
- Implement 1/n-1 record splitting to make CBC suites safe in TLS 1.0 and earlier. As far as we are aware, Apple is the only remaining vendor that has not patched their browsers, either on OSX or iOS.
System administrators
- Disable TLS compression. This attack is similar in nature to the recent RC4 attacks, but practical.
- Support TLS 1.2 and GCM as soon as possible.
TLS Working Group
- Restore algorithm agility and diversity in TLS. AES GCM suites are now the only truly secure option in TLS, but we shouldn’t count on them to stay like that forever.
- Consider introducing other stream ciphers to the standard. Algorithm agility, which TLS already provides, is not sufficient if there is only one choice for a component.
- Consider changing how CBC is implemented in order to address the timing issues.
Application developers
- Harden session management to support reliable and frequent rotation of session cookies, triggered by elapsed time or the number of requests observed. Recent years have seen a rise in attacks that require attackers to control the client end of a TLS connection in some fashion. Most such attacks focus on extracting small bits of information, typically credentials. Session cookies are now the most popular target. Given how many requests are needed for the best attacks to succeed, rotating session cookies frequently is a good defense in depth measure.
RC4 in TLS is Broken: Now What?的更多相关文章
- [译]使用AES 256以达到SSL/TLS安全最大化
原文链接:https://luxsci.com/blog/256-bit-aes-encryption-for-ssl-and-tls-maximal-security.html 原文发表时间:201 ...
- [译]HIPAA要求的SSL/TLS等级
原文链接:https://luxsci.com/blog/level-ssl-tls-required-hipaa.html 原文发表时间:2015.1.13 本博文仅仅是上述原文的翻译,仅供研究参考 ...
- 使用openSSL开源工具进行SSL/TLS 安全测试
本文介绍了使用半自动化工具执行SSL&TLS安全性评估的过程,以及如何使用手动及工具的测试方法验证并发现问题.目的是优化TLS和SSL安全测试流程,帮助信息安全顾问在渗透测试时在TLS / S ...
- SSL/TLS 安全测试
本文介绍了使用半自动化工具执行SSL&TLS安全性评估的过程,以及如何使用手动及工具的测试方法验证并发现问题.目的是优化TLS和SSL安全测试流程,帮助信息安全顾问在渗透测试时在TLS / S ...
- Https实践
https实践 常用端口 ssh 22 telnet 23 ftp 21 rsync 873 http 80 mysql 3306 redis 6379 https 443 dns 53 php 90 ...
- (转)SSL/TLS 漏洞“受戒礼”,RC4算法关闭
原文:https://blog.csdn.net/Nedved_L/article/details/81110603 SSL/TLS 漏洞“受戒礼” 一.漏洞分析事件起因2015年3月26日,国外数据 ...
- [译]TLS中的RC4被攻破了,现在该怎么办?
原文链接:https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what 原文发表时间 ...
- SSL/TLS 漏洞“受戒礼”,RC4算法关闭
SSL/TLS 漏洞"受戒礼" 一.漏洞分析 事件起因 2015年3月26日,国外数据安全公司Imperva的研究员Itsik Mantin在BLACK HAT ASIA 2015 ...
- gRPC源码分析1-SSL/TLS
引子 前几天看到微信后台团队分享了TLS相关文章,正好gRPC里TLS数据加密是很重要的一块,于是整理出了这篇文章. 在gRPC里,如果仅仅是用来做后端微服务,可以考虑不加密.本文太长,先给个大纲. ...
随机推荐
- HDU - 1042-N!(Java)
Given an integer N(0 ≤ N ≤ 10000), your task is to calculate N! Input One N in one line, process to ...
- Python入门字符编码
计算机基础知识 一.应用程序任何操作硬件的请求都需要向操作系统发起系统调用,然后由操作系统去操作硬件 二.文本编辑器存取文件的原理 1.打开编辑器就打开了启动了一个进程,是在内存中的,所以,用编辑器编 ...
- jquery 初步学习
首先 jQuery是一个轻量级的 JS框架,核心文件才几十KB 1. jquery 对象 var $variable=jquery对象 var variable = DOM对象 $variable[0 ...
- appium连接夜神模拟器方法总结
使用appium连接模拟器前提条件:appium环境已经搭建完毕,搭建步骤请参考我的博客:appium手机自动化环境搭建 1.下载并安装夜神模拟器:https://www.yeshen.com/ 2. ...
- 所有节点配置NTP服务
主节点: 打开vim /etc/ntp.conf文件 For more information about this file, see the man pages # ntp.conf(), ntp ...
- springboot 启动的java进程默默终止
首先说明这是一个灵异事件......... 场景1 :把之前用map实现的缓存用Redis重构,高高兴兴上线更新,10 分钟后,老板告诉我,项目停了,what ??? 像我这么帅气,英俊,聪明的人,更 ...
- VBS 操作Excel
VBS操作Excel 打开excel Dim objExcel,objWorkbook,objSheet Set objExcel=CreateObject("excel.applicati ...
- equals()方法 与 == 区别
equals()方法 与 == 区别 : equals():在字符串中比较内容,则必须使用equals(变量),如果相等则为true,否则为false == :使用==比较的是地址是否一致 class ...
- RestTemplate中几种常见的请求方式
GET请求 第一种:getForEntity getForEntity方法的返回值是一个ResponseEntity<T>,ResponseEntity<T>是Spring对H ...
- DEDE模板中如何运行php脚本和php变量的使用
在使用dede模板的时候,经常会需要直接对dede数据库的底层字段进行处理,如果dede中没有相应的函数的时候,往往就需要我们想办法来处理了. 举例:我想取出数据表addonimages中的某一条记录 ...