New SSL Attack Exploits an Old Problem


Will the Bar Mitzvah Attack finally bring an end to RC4?

A new attack could be the final straw for the RC4 encryption method, which is still used on many systems despite some publicized vulnerabilities and stern warnings from security experts. The Bar Mitzvah attack, announced at the Black Hat Asia conference last week, affects SSL connections that use RC4 for encryption. According to security expert Itsik Mantin, Bar Mitzvah is “… the first practical attack on SSL that does not require man-in-the-middle techniques to steal sensitive data ….”

The attack is actually based on a 13-year-old vulnerability that is “based on huge classes of RC4 weak keys ….” Previous attacks based on the Invariance Weakness vulnerability required active communication with the target system. The Bar Mitzvah attack is thought to be the first passive attack on RC4.

Web admins should disable RC4 on all web servers, and all users should disable RC4 from their browser’s SSL/TLS configuration. The recent IETF document RFC 7465 actually requires admins to disable RC4 for all TLS clients and servers.


Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=