1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

New collision attacks against triple-DES, Blowfish break HTTPS sessions

Discussion in 'Network World' started by RSS, Aug 25, 2016.

  1. RSS

    RSS New Member Member

    There is now a practical, relatively fast attack on 64-bit block ciphers that lets attackers recover authentication cookies and other credentials from HTTPS-protected sessions, a pair of French researchers said. Legacy ciphers Triple-DES and Blowfish need to go the way of the broken RC4 cipher: Deprecated and disabled everywhere.

    Dubbed Sweet32, researchers were able to take authentication cookies from HTTPS-protected traffic using triple-DES (3DES) and Blowfish and recover login credentials to be able to access victim accounts, said the researchers, Karthikeyan Bhargavan and Gaƫtan Leurent of INRIA in France. The attack highlights why it is necessary for sites to stop using legacy ciphers and upgrade to modern, more secure ciphers.

    To read this article in full or to leave a comment, please click here

    Continue reading...

Share This Page