Skip to main content

New HTTPS exploit leaves hundreds of sites vulnerable, but there’s an easy fix

Researchers at INRIA, the French national research institute for computer science, have devised a new way to decrypt secret cookies which could leave your passwords vulnerable to theft.

Karthikeyan Bhargavan and Gaetan Leurent, have devised and carried out an attack – in a crypto research lab – which can pirate traffic from over 600 of the web’s most popular sites and lay bare your previously secure login information.

Recommended Videos

The exploit, dubbed ‘Sweet32’, isn’t easy to carry out, however. It involves mining hundreds of gigabytes of data, and targeting specific users who have accessed a malicious website which saddled them with a bit of malware. Still, the difficulty in carrying out the attack is outweighed by just how completely it subverts some of the internet’s most common encryption schemes.

While the attack is very difficult to carry out in practice, the existence the exploit has security experts on the OpenSSL development team taking notice.

By mining HTTPS or OpenVPN encrypted traffic, the researchers were able to use a mathematical paradox to identify portions of encrypted information and decipher login and password credentials in their entirety.

Don’t panic just yet, security experts speaking with Ars Technica are convinced that the threat posed by the exploit is minimal, in part due to the fact that it’s got a relatively simple fix.

The key vulnerability exploited in the secret-cookie-decryption-scheme is only found in 64-bit block ciphers, which OpenVPN developers have already addressed in the most recent version of their VPN software. Other security experts speaking with Ars have confirmed that the exploit poses little threat as long as developers get on board and stop using 64-bit block ciphers like Triple DES, or ‘3DES’.

“The 3DES issue is of little practical consequence at this time. It is just a matter of good hygiene to start saying goodbye to 3DES,” said Viktor Dukhovni, a member of the OpenSSL team.

Jaina Grey
Former Digital Trends Contributor
Jaina Grey is a Seattle-based journalist with over a decade of experience covering technology, coffee, gaming, and AI. Her…
The Samsung Odyssey Neo G7 gaming monitor is 55% off, but there’s a catch
Samsung's Odyssey Neo G7 on a desk.

The 43-inch Samsung Odyssey Neo G7 gaming monitor is an excellent display for gamers, but it's not always available with a discount from monitor deals, and it's pretty expensive at its original price of $1,000. However, we've found a way for you to get it with a 55% discount, and that's to take advantage of Samsung's open box pricing so that you'll only have to pay $450. That's a massive $550 in savings, and you don't have to worry about the quality of the gaming monitor -- open box products still look brand new and are tested to be working properly. You need to hurry though, as stocks are limited!

Why you should buy the 43-inch Samsung Odyssey Neo G7 gaming monitor

Read more
This quirky AI-powered camera prints poems, not photos
The Poetry Camera.

The Poetry Camera is an ingenious device that doesn’t take photos but instead makes poems.

The clever contraption features a lens that observes its surroundings before using AI to craft a poem inspired by the scene. It then prints the verse through a slot on the front -- similar to how a Polaroid camera delivers photos. You can see it in action in the video above.

Read more
I loved this AI-first web browser, but experts warned me of ‘free’ AI
Launch screen of Dia browser.

“If you're not paying for the product, you are the product.” 

Bogdan Onikiienko, an engineer at MacPaw, dropped that hard-hitting quote on me after using Dia, a new-age web browser that heavily relies on AI. He found it quite useful, but warned me that there are still a few unknowns, especially the privacy aspect.

Read more