Skip to main content

New HTTPS exploit leaves hundreds of sites vulnerable, but there’s an easy fix

HTTPS Exploit Leaves Sites Vulnerable
ronstik / 123RF.com
Researchers at INRIA, the French national research institute for computer science, have devised a new way to decrypt secret cookies which could leave your passwords vulnerable to theft.

Karthikeyan Bhargavan and Gaetan Leurent, have devised and carried out an attack – in a crypto research lab – which can pirate traffic from over 600 of the web’s most popular sites and lay bare your previously secure login information.

Recommended Videos

The exploit, dubbed ‘Sweet32’, isn’t easy to carry out, however. It involves mining hundreds of gigabytes of data, and targeting specific users who have accessed a malicious website which saddled them with a bit of malware. Still, the difficulty in carrying out the attack is outweighed by just how completely it subverts some of the internet’s most common encryption schemes.

Please enable Javascript to view this content

While the attack is very difficult to carry out in practice, the existence the exploit has security experts on the OpenSSL development team taking notice.

By mining HTTPS or OpenVPN encrypted traffic, the researchers were able to use a mathematical paradox to identify portions of encrypted information and decipher login and password credentials in their entirety.

Don’t panic just yet, security experts speaking with Ars Technica are convinced that the threat posed by the exploit is minimal, in part due to the fact that it’s got a relatively simple fix.

The key vulnerability exploited in the secret-cookie-decryption-scheme is only found in 64-bit block ciphers, which OpenVPN developers have already addressed in the most recent version of their VPN software. Other security experts speaking with Ars have confirmed that the exploit poses little threat as long as developers get on board and stop using 64-bit block ciphers like Triple DES, or ‘3DES’.

“The 3DES issue is of little practical consequence at this time. It is just a matter of good hygiene to start saying goodbye to 3DES,” said Viktor Dukhovni, a member of the OpenSSL team.

Jayce Wagner
Former Digital Trends Contributor
A staff writer for the Computing section, Jayce covers a little bit of everything -- hardware, gaming, and occasionally VR.
Nvidia celebrates Trump, slams Biden for putting AI in jeopardy
The Nvidia RTX 5090 GPU.

In response to new export restrictions placed on AI GPUs, Nvidia posted a scathing blog criticizing the outgoing Biden-Harris administration. The administration's Interim Final Rule on Artificial Intelligence Diffusion largely targets China with restrictions on AI GPUs, according to Newsweek.

Nvidia disagrees. "While cloaked in the guise of an 'anti-China' measure, these rules would do nothing to enhance U.S. security. The new rules would control technology worldwide, including technology that is already widely available in mainstream gaming PCs and consumer hardware. Rather than mitigate any threat, the new Biden rules would only weaken America’s global competitiveness, undermining the innovation that has kept the U.S. ahead," wrote Nvidia's vice president of government of affairs Ned Finkle.

Read more
This new DirectX feature could completely change how PC games work
A scene from Fortnite running in Unreal Engine 5.

Microsoft has announced that neural rendering capabilities are coming to DirectX soon. Cooperative vector support, as it's called, will lead to "cross-platform enablement of neural rendering techniques," according to Microsoft, and it will usher in "a new paradigm in 3D graphics programming."

It sounds buzzy, but that's not without reason. This past week, Nvidia announced its new range of RTX 50-series graphics cards, and along with them, it revealed a slate of neural rendering features. Neural shaders, as Nvidia calls them, allow developers to execute small neural networks from shader code, running them on the dedicated AI hardware available on Nvidia, AMD, Intel, and Qualcomm GPUs. Microsoft is saying that it will enable these features on all GPUs, not just those sold by Nvidia, through the DirectX API.

Read more
This gaming PC with an RTX 4060 is on sale for $1,000 today
The iBuyPower Trace 7 on a white background.

Best Buy often has some great gaming PC deals, with one highlight available today: Right now, you can buy the iBuyPower Trace 7 gaming PC for $1,000 instead of $1,300. The PC includes the RTX 4060 GPU, so it’s ideal for mid-range gaming. It even comes with a keyboard and mouse, so you only need to make sure you have a screen to add to it. If you’re looking to upgrade your gaming PC for less, here’s what it has to offer.

Why you should buy the iBuyPower Trace 7
You won’t see anything from iBuyPower in our look at the best gaming PCs, but don’t let that discourage you. This is still a good option for those on a budget. This particular model has great hardware for the price. It has an AMD Ryzen 7 5700 CPU teamed up with 16GB of RAM and 1TB of SSD storage. More pivotal for a gaming PC is its graphics card: a GeForce RTX 4060 with 8GB of VRAM.

Read more