SSL, the most widely-used secure communications protocol on the Internet today, has been found to be putting billions of users’ sensitive data at risk due to a number of vulnerabilities.
For SSL to be found with significant vulnerabilities is worrying, as it serves as the basis of the HTTPS protocol for securing web browsing and is used for securing a wide variety of application-level traffic.
It is used in conjunction with IMAP or SMTP to cryptographically protect email traffic, as well as being a popular tool to secure communication with embedded systems, mobile devices, and in payment systems.
Imperva has identified that the RC4 algorithm, known to be a weak cipher for many years, can be potentially used to catastrophic effect.
The cyber security provider identified a new Man-in-the-Middle attack, similar to the BEAST vulnerability first discovered in 2011, on SSL with RC4. This attack allows the attacker to extract partial information from the protected data.
The Imperva research shows that this leakage is significant, facilitating faster brute force attacks on things such as passwords, credit card numbers, and session cookies.
The RC4 algorithm was also found to be able to leak SSL protected data in 1 out of 16 million RC4 encryptions, summing up to thousands of secure messages that are potentially compromised every day.
A passive variant of the attack, believed to be the first passive attack on SSL, leaks secret information of a random victim, while the attack is also more ‘stable’ then past SSL attacks. This means the attacks work in more scenarios, for example, when the attacker tries to steal short-lived session cookies.
In a warning which should be heeded by many, the research warns that every single time someone uses SSL with RC4 to protect their data, that person has a small but non-negligible chance to have his data compromised.
Imperva recommends that web administrators disable RC4 in their SSL configuration; web users disable RC4 in their browser SSL configuration; and browser providers remove RC4 from their SSL cipher list.
"The research team that comprises the Application Defense Center is constantly updating existing work, exploring new vulnerabilities and publishing reports that provide insight and guidance on the latest threats," said Itsik Mantin, director of security research, Imperva.
"This latest research on the vulnerabilities affecting the SSL protocol, a connection that literally affects billions of users every day, is just another example of how we’re helping to alert users of online threats, while providing actionable guidance on how security professionals can protect their organization from the latest threats."
