1. Computing

New HTTPS exploit leaves hundreds of sites vulnerable, but there’s an easy fix

By

HTTPS Exploit Leaves Sites Vulnerable
ronstik / 123RF.com
Researchers at INRIA, the French national research institute for computer science, have devised a new way to decrypt secret cookies which could leave your passwords vulnerable to theft.

Karthikeyan Bhargavan and Gaetan Leurent, have devised and carried out an attack – in a crypto research lab – which can pirate traffic from over 600 of the web’s most popular sites and lay bare your previously secure login information.

The exploit, dubbed ‘Sweet32’, isn’t easy to carry out, however. It involves mining hundreds of gigabytes of data, and targeting specific users who have accessed a malicious website which saddled them with a bit of malware. Still, the difficulty in carrying out the attack is outweighed by just how completely it subverts some of the internet’s most common encryption schemes.

While the attack is very difficult to carry out in practice, the existence the exploit has security experts on the OpenSSL development team taking notice.

By mining HTTPS or OpenVPN encrypted traffic, the researchers were able to use a mathematical paradox to identify portions of encrypted information and decipher login and password credentials in their entirety.

Don’t panic just yet, security experts speaking with Ars Technica are convinced that the threat posed by the exploit is minimal, in part due to the fact that it’s got a relatively simple fix.

The key vulnerability exploited in the secret-cookie-decryption-scheme is only found in 64-bit block ciphers, which OpenVPN developers have already addressed in the most recent version of their VPN software. Other security experts speaking with Ars have confirmed that the exploit poses little threat as long as developers get on board and stop using 64-bit block ciphers like Triple DES, or ‘3DES’.

“The 3DES issue is of little practical consequence at this time. It is just a matter of good hygiene to start saying goodbye to 3DES,” said Viktor Dukhovni, a member of the OpenSSL team.

Editors' Recommendations

Dead Fury plays like a greatest hits of zombie shooters

A lone man stands with his gun raised as he is attacked my zombies

Why the M1 MacBook Air is still an excellent buy today

MacBook Air 2020

Best cheap Xbox One controller deals for October 2021

microsoft xbox one review controller angle

Staples slashes the Microsoft Surface Pro 7 price, now that the Surface 8 is out

Microsoft surface pro 7 tablet being used as a drawing pad with the touchscreen by a person, hand holding a stylus, sitting at a table in a home setting.

Best cheap gaming PC deals for September 2021

best graphics card for gaming origin neuron desktop review lifestyle behind shoulder

The best PS5 games for 2021

playstation 5 controller and ps5

The best movies leaving Amazon Prime Video at the end of September

Denzel Washington and Gene Hackman in Crimson Tide.

5 people we want to walk with on Apple’s Time to Walk

Apple Time to Walk

The best movies on Disney+ right now

Macaulay Culkin screams in a scene from Home Alone.

The 50 best movies on Netflix right now

David Bowie in Labyrinth

The 60 best shows on Hulu right now

Ice-T and Mariska Hargitay standing together in a scene from Law & Order: SVU.

The best shows to binge-watch on Netflix right now

Hamish Linklater as Father Paul in Midnight Mass.

The 91 best movies on HBO Max right now

Carey Mulligan in Promising Young Woman.