RC4, CBC, what the …?
BEAST & Lucky Thirteen attacks said, “Prioritize RC4 cipher suite.” AlFBPPS attack said, “RC4 is old and crummy. CBC-mode would be better.”
RC4 Attack in SSL/TLS
The team of Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt published an RC4 encryption attack in SSL/TLS.
CRIME Attack on SSL/TLS
The security researchers who brought us BEAST now have a new SSL/TLS attack: CRIME. I would like to know what the acronym CRIME stands for, but we’ll probably have to wait until Juliano Rizzo and Thai Duong present their work at Ekoparty Security Conference later this month. Little information about the attack has been published. [Read More...]
BEAST and RC4
In order to mitigate a BEAST attack, the advice is to prioritize RC4 cipher suites on your Web server to avoid the use of vulnerable cypher block chaining (CBC) suites. But how well do the clients support RC4? Ivan Ristić of Qualys did some tests at SSL Labs and saw that only 45 of 48,481 unique [Read More...]
Don’t fear the BEAST
A few weeks ago, Juliano Rizzo and Thai Duong published a paper on an SSL attack that they call BEAST, which decrypts parts of an SSL connection. Before I discuss it at length, let me cut to the chase on it. Q: Is this something that you need to worry about? A: No. Here’s a [Read More...]
Taming the BEAST
The BEAST’s reign of terror may soon be over. The more this topic is discussed, the less vulnerable we appear to be. Adrian Dimcev states in his blog, “Although the attack itself is pretty neat and the demo looks scary, its practicality is very low; the average user would probably not need to worry about.” [Read More...]
BEAST: Attacking SSL/TLS
In the wake of the DigiNotar comprise comes BEAST, the latest attack on the SSL/TLS protocol — specifically SSL 3.0 (1996) and TLS 1.0 (1999). The recent attacks on certification authorities (CA) such as Comodo, StartCom, DigiNotar and GlobalSign were attempts to get the CAs to issue fraudulent SSL certificates. BEAST is not used to [Read More...]