Security over the Internet is a topic of great concern among industry experts, as it looks like we are on the brink of facing a massive threat. As much as one-third of the world’s encrypted Web connectivity suffers from a fatal flaw, which could be exploited any day now. Additionally, the same type of attack can be used to break into certain types of wireless networks.
The cryptographic cipher RC4 — also known as Rivest Cipher 4 or ARC4 — is used in some of the most common internet security protocols, such as Transport Layer Security (TLS). RC4’s Main benefits are its simplicity to use, and speed in software, yet it also packs a few serious weaknesses arguing against its own usage in new systems.
Anyone who has used a wireless internet connection in their life will have noticed that Wi-Fi networks are always protected by a certain layer of security. In most cases, this layer is called WPA or WPA2. However, there used to a version called WEP, which is one of the most insecure protocols to protect wireless internet connectivity, and is also based on RC4.
Since the start of 2015, rumors have been surfacing about state cryptologic agencies possessing the tools to break RC4 cryptographic, even when it is used at its strongest in TLS connections. As a result, companies such as Mozilla and Microsoft have been lobbying to disable RC4 cryptographic wherever possible. But it looks like the threat is far from over.
Even though the main objective of RC4 is to generate pseudo-random bytes to encrypt messages, there are vulnerabilities within the cryptographic cipher making it vulnerable to predicting some of these bytes. Whereas such an attack took researchers nearly 2,000 hours back in 2013, the same attack can now be executed within 75 hours at a 94% accuracy. A similar type of attack against WPA-TKIP wireless networks — to brute force authentication — only takes about an hour to succeed.
The worrisome state of RC4 was addressed by a team of scientists in a blog post:
“Our work significantly reduces the execution time of performing an attack, and we consider this improvement very worrisome.Considering there are still biases which are unused, that more efficient algorithms can be implemented, and better traffic generation techniques can be explored, we expect further improvements in the future.”
Potential Outcomes Of A Successful Attack
If the vulnerabilities in the cryptographic cipher RC4 were to be successfully exploited by a hacker, the results will be quite dramatic. Not only could such an attack be used to decrypt internet cookies — which store a ton of sensitive data regarding your browsing activity — but Wi-Fi packets can also be decrypted — allowing a hacker to monitor your every move on the internet. Additionally, any plain text data transmitted in the RC4 encrypted stream can be intercepted.
HTTPS-protected web sites,of which roughly one-third rely on RC4 today, are only facing the threat in theory for the time being. That being said, there is a lot of hassle associated with retiring widely used technologies. As a result, the RC4 standard will need to replaced sooner rather than later.
“We consider it surprising this is possible using only known biases, and expect these types of attacks to further improve in the future. Based on these results, we strongly urge people to stop using RC4,” states a research paper, scheduled to be released next month at the 24th Usenix Security Symposium.
Bitcoin Websites To Be Affected As Well
Most Bitcoin platforms — including exchanges, mobile wallet providers and even the Bitcointalk forum — rely on HTTPS connections to create a safe and secure environment for customers. If the RC4 vulnerability were to be exploited at some point, many Bitcoin sites could be facing the consequences as well.
The reason is that HTTPS/TLS certification is done by only a handful of companies. Comodo is the largest issuer of HTTPS/TLS certificates, followed closely by Symantec. Other companies include Godaddy, GlobalSign and DigiCert. As long as not all of these parties stop using the RC4 cryptographic cipher, there will always remain a threat to HTTPS/TLS-based websites and services.
What are your thoughts on the weaknesses present in RC4, and what action can Bitcoin companies undertake to ensure this vulnerability will never affect them? Let us know in the comments below!
Source: Ars Technica
Images courtesy of Shutterstock, Redhat Security Blog