Using a new technique, researchers have come within 52 Hours cracked the data of an encrypted cookies and then could sign on behalf of the victim at a site. So far, the researchers took about 2000 hours, an RC4 encryption overturn.
The encryption of Web cookies can be cut short. About the attack RC4 Nomore it is possible, read user data from the communication with HTTPS-secured pages within a few hours. The two researchers Mathy Vanhoef and Frank Piessens of Leuven University have found a way, exploit vulnerabilities in the RC4 encryption algorithm. As they show in a paper, the researchers can 'RC4 Nomore' (Numerous Occurrence MOnitoring & Recovery Exploit) decrypt in a comparatively short time Web cookies. the result: Attackers could use the data obtained in this way, to register, for example, under false names at a web page.
RC4 is one of the options, the one for HTTP encryption via Transport Layer Security (TLS) is available. Through this encryption is to prevent, that the traffic between servers and users can be intercepted. Although RC4 is still widespread, but now almost 30 Year-old algorithm is generally considered vulnerable to modern cyber attacks. Therefore, the Internet Engineering Task Force bans (IETF) the use of RC4 since February 2015.
used according to the International Computer Science Institute at Berkeley University in California 12,8 Percent in the past 30 Days captured cipher RC4 Collections. So hundreds of thousands of sites thus are vulnerable to RC4 Nomore attacks worldwide. Operators of these sites can not guarantee the security of data of its users.
Further details on their investigation and want Vanhoef Piessens in August at the Usenix Security Symposium imagine in the US capital Washington.
[With material by Stefan Beier man, ZDNet.de]