CVE-2013-2566 уязвимость при аудите. RRS feed

  • Вопрос

  • Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS ) protocols provide integrity, confidentiality and authenticity services to other protocols that lack these features. SSL/TLS protocols use ciphers such as AES,DES, 3DES and RC4 to encrypt the content of the higher layer protocols and thus provide the confidentiality service. Normally the output of an encryption process is a sequence of random looking bytes. It was known that RC4 output has some bias in the output. Recently a group of researches has discovered that the there is a stronger bias in RC4, which make statistocal analysis of cihpertext more practical. The described attack is to inject a malicious javascript into the victim's browser that would ensure that there are multiple connections being established with a target website and the same HTTP cookie is sent multiple times to the website in encrypted form. This provides the attacker a large set of ciphertext samples, that can be used for statistical analysis.

    Как можно закрыть данную уязвимость или не стоит сильно уделять этому внимание?

    3 июля 2014 г. 11:46


Все ответы