Researchers have devised a new attack that can decrypt secret session cookies from about 1 percent of the Internet’s HTTPS traffic and could affect about 600 of the Internet’s most visited sites, including nasdaq.com, walmart.com, match.com, and ebay.in.
Impractical no more
Despite the difficulty in carrying out the attack, the researchers said it works in their laboratory and should be taken seriously. They are calling on developers to stop using legacy 64-bit block-ciphers. For transport layer security, the protocol websites use to create encrypted HTTPS connections, that means disabling the Triple DES symmetric key cipher, while for OpenVPN it requires retiring a symmetric key cipher known as Blowfish. Ciphers with larger block sizes, such as AES, are immune to the attack.