Update: 7th September 2015: As mentioned in a more recent blog post Mozilla, Google and Microsoft have announced plans to complete the phase out of RC4 in early 2016. Their actions will mean that the advice provided below will be redundant.
Two researchers from the University of Leuven have published a research paper that describes a refined attack technique on the cryptographic algorithm RC4 (Rivest Cipher 4, originally developed by cryptographer Ron Rivest).
While previous attacks on RC4 have been detailed in the past the amount of time needed, approximately 2000 hours meant that such attacks while possible were not practical enough to make them likely. The new attack should take about 75 hours to locate the correct authentication cookie used in an encrypted session.
The attack has been reduced in time due to new biases that have been found in the initial keystream bytes of RC4 which means that fewer encrypted samples of the desired authentication cookie are required (reduced from 13 . 2 ^ 30 to 9 . 2 ^ 27). In addition, the algorithm used to gather these samples can now make 4450 requests per second, an increase from 1700 requests per second of a previous attack method. These requests collect all possible values of the authentication cookie and then an algorithm is used to brute force these collected values until the desired value is found. This has resulted in the dramatic decrease in the time needed for this attack to be successful. The researchers tested this attack on real-world devices and achieved a time of 52 hours (see the “Demonstration” heading) needed to obtain the actual authentication cookie.
While 75 and 52 hours are very quick times in which an encrypted session can be compromised (in addition this attack does not require that a web browser remain open during the entire attack, since it can be resumed at a later stage), such an attack can still be avoided if the session time out value of a cookie is less than the time needed to complete the attack. Since this attack is against RC4, implementing Forward Secrecy (while an excellent additional security measure) will not fully protect from this underlying flaw within RC4.
Why should this attack be considered important?
If this RC4 attack were used by an attacker they could then hijack the website account that you are logged into and carry out any action that your account could. A summary of such actions is provided in the “Introduction” paragraph of the researcher’s website. In addition, since WPA-TKIP also uses RC4, this attack would allow an attacker to view your traffic (which travels between your device and a wireless router/wireless access point) after 1 hour or less.
How can I protect myself from this issue?
If you maintain/are the administrator of a website that uses RC4 to provide HTTPS, it would be recommended to migrate to a newer cipher e.g. AES-GCM since it provides added security while maintaining acceptable performance. Unfortunately approximately 30% of websites still use RC4.
You should also consider disabling RC4 within your web browser. I have provided a summary of how to do this for some web browsers:
Mozilla Firefox: Visit about:config Perform a search for RC4, set all results to false by double clicking them.
Internet Explorer: See this Microsoft SRD blog post for details.
You can verify that RC4 is disabled by testing your web browser after disabling RC4. RC4 should not appear in the Cipher Suites heading of this test.
If your wireless router/wireless access point is using WEP or WPA-TKIP, please consult the manual of your router/access point to determine if it supports the more modern WPA2 encryption and switch to WPA2 if you can. A disadvantage of using WPA2 is that some older wireless devices don’t support it. One device that I previously used on my network occasionally was from 2008 (WPA2 was introduced in 2006) and it did support WPA2 (it still worked online after enabling WPA2 along with a new pre-shared key). However I realize not all devices from this timeframe would have this flexibility.
If you use Java, consider installing the most recent Java SE/JDK update since it removed RC4 from the cipher suite of both client and servers installations of Java.
While this new RC4 attack remains a potential option for attackers it is less likely to be used given that it would take approximately 72 hours to complete (assuming the cookie session timeout is also long enough to allow this).
However it would be prudent to switch to newer ciphers and encryption methods (for wireless routers/wireless access points) since time will likely allow this attack to be refined further (in the case of the HTTPS exploit method detailed above) or newer attacks to be derived from it meaning that the use of RC4 will become riskier over time. Moreover, newer ciphers already offer superior security to RC4. In addition, WPA-TKIP has previous known weaknesses, providing another reason to use WPA2 for your wireless routers/wireless access points.