[Cryptography] best practices considered bad term
Tony Arcieri
bascule at gmail.com
Wed Feb 4 18:18:08 EST 2015
On Wed, Feb 4, 2015 at 2:51 PM, Ryan Carboni <ryacko at gmail.com> wrote:
> RC4 apparently is too weak, and they think somehow the NSA might improve
> on a statistical attack? Their logic is as nonsensical as attributing
> godlike powers to the NSA and thinking the NSA has improved upon adding two
> num
>
Both Dan Bernstein and Kenny Patterson, two of the people who worked on one
of the statistical attacks against RC4, have suggested that their attack
can be further refined to require fewer ciphertexts
I don't even know how packets are arranged when web pages are sent., I do
> know it comes as multiple packets, but it is possible to distinguish
> between which packet contains the cookie and which packet does not?
>
Cookies are located in the HTTP header at the beginning of the request.
The setup for a practical attack against RC4 is similar to BEAST, CRIME,
BREACH, or POODLE: the attacker has a privileged network position that lets
them passively MitM the victim, and gets the victim to load a malicious
script which makes many, many requests.
If the attacker is driving the victim's browser, they know exactly when
requests start and end.
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150204/4d7d93dd/attachment.html>
More information about the cryptography
mailing list