Skip to main content
  1. Home
  2. Computing
  3. Web
  4. News

New HTTPS exploit leaves hundreds of sites vulnerable, but there’s an easy fix

Jayce Wagner
By

HTTPS Exploit Leaves Sites Vulnerable
ronstik / 123RF.com
Researchers at INRIA, the French national research institute for computer science, have devised a new way to decrypt secret cookies which could leave your passwords vulnerable to theft.

Karthikeyan Bhargavan and Gaetan Leurent, have devised and carried out an attack – in a crypto research lab – which can pirate traffic from over 600 of the web’s most popular sites and lay bare your previously secure login information.

The exploit, dubbed ‘Sweet32’, isn’t easy to carry out, however. It involves mining hundreds of gigabytes of data, and targeting specific users who have accessed a malicious website which saddled them with a bit of malware. Still, the difficulty in carrying out the attack is outweighed by just how completely it subverts some of the internet’s most common encryption schemes.

While the attack is very difficult to carry out in practice, the existence the exploit has security experts on the OpenSSL development team taking notice.

By mining HTTPS or OpenVPN encrypted traffic, the researchers were able to use a mathematical paradox to identify portions of encrypted information and decipher login and password credentials in their entirety.

Don’t panic just yet, security experts speaking with Ars Technica are convinced that the threat posed by the exploit is minimal, in part due to the fact that it’s got a relatively simple fix.

The key vulnerability exploited in the secret-cookie-decryption-scheme is only found in 64-bit block ciphers, which OpenVPN developers have already addressed in the most recent version of their VPN software. Other security experts speaking with Ars have confirmed that the exploit poses little threat as long as developers get on board and stop using 64-bit block ciphers like Triple DES, or ‘3DES’.

“The 3DES issue is of little practical consequence at this time. It is just a matter of good hygiene to start saying goodbye to 3DES,” said Viktor Dukhovni, a member of the OpenSSL team.

Editors' Recommendations

Twitter is building a menu option for Twitter Shops
A person's hands holding a smartphone as they browse Twitter on it.
This new Windows 11 feature will help you protect your passwords
A man sits, using a laptop running the Windows 11 operating system.
Instagram is building a ‘nudity protection’ tool for your DMs
Instagram app on the Google Play Store on an Android smartphone.
Hackers may be hiding in plain sight on your favorite website
A depiction of a hacked computer sitting in an office full of PCs.
Best laser printer deals: Save on Brother and Canon today
A person uses a smartphone to print something with a Brother MFC-L2710DW wireless monochrome laser printer on an office table.
The best gaming laptops in 2022
2019 Razer Blade Pro 17
The best Wi-Fi 6 routers for 2022
The Nighthawk RAXE300 on a tabletop in a home.
The best Chromebooks for 2022: great choices at every price point
Close up of the Chrome logo on the top of a Chromebook.
Best Chromebook deals for October 2022
Google Meets on an HP Chromebook.
Best HP Envy deals for October 2022
An HP Envy 17-inch laptop sits on an office desk.
Best desktop computer deals for October 2022
The HP Pavilion desktop computer accompanied by two gaming monitors and a colorful gaming keyboard.
Best VPN deals and sales for October 2022
A close-up of a computer monitor displaying a generic VPN.
Best refurbished laptops deals and sales for October 2022
microsoft surface laptop go 2020 on desk